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Foreword 



rd , 



This Technical Specification (TS) has been produced by the 3 Generation Partnership Project (3GPP). 

The contents of the present document are subject to continuing work within the TSG and may change following formal 
TSG approval. Should the TSG modify the contents of the present document, it will be re-released by the TSG with an 
identifying change of release date and an increase in version number as follows: 

Version x.y.z 

where: 

X the first digit: 

1 presented to TSG for information; 

2 presented to TSG for approval; 

3 or greater indicates TSG approved document under change control. 

y the second digit is incremented for all changes of substance, i.e. technical enhancements, corrections, 
updates, etc. 

z the third digit is incremented when editorial only changes have been incorporated in the document. 



Introduction 



This document has been prepared by the 3GPP Task Force, and contains an example set of algorithms which may be 
used as the authentication and key generation functions /7,/7*,/2,/5,/4,/5 and/5*. (It is not mandatory that the 
particular algorithms specified in this document are used — all seven functions are operator-specifiable rather than 
being fully standardised). This document is one five, which between them form the entire specification of the example 
algorithms, entitled: 

3GPP TS 35.205: "3rd Generation Partnership Project; Technical Specification Group Services and System 
Aspects; 3G Security; Specification of the MILENAGE Algorithm Set: An example algorithm set for the 3GPP 
authentication and key generation functions fl, fl*, f2, f3, f4, f5 and f5*; 
Document 1: General". 

3GPP TS 35.206: "3rd Generation Partnership Project; Technical Specification Group Services and System 
Aspects; 3G Security; Specification of the MILENAGE Algorithm Set: An example algorithm set for the 3GPP 
authentication and key generation functions fl, fl*, f2, f3, f4, f5 and f5*; 
Document 2: Algorithm Specification". 

3GPP TS 35.207: "3rd Generation Partnership Project; Technical Specification Group Services and System 
Aspects; 3G Security; Specification of the MILENAGE Algorithm Set: An example algorithm set for the 3GPP 
authentication and key generation functions fl, fl*, f2, f3, f4, f5 and f5*; 
Document 3: Implementors' Test Data". 

- 3GPP TS 35.208: "3rd Generation Partnership Project; Technical Specification Group Services and System 
Aspects; 3G Security; Specification of the MILENAGE Algorithm Set: An example algorithm set for the 3GPP 
authentication and key generation functions fl, fl*, f2, f3, f4, f5 and f5*; 
Document 4: Design Conformance Test Data". 

3GPP TR 35.909: "3rd Generation Partnership Project; Technical Specification Group Services and System 
Aspects; 3G Security; Specification of the MILENAGE Algorithm Set: An example algorithm set for the 3GPP 
authentication and key generation functions fl, fl*, f2, f3, f4, f5 and f5*; 
Document 5: Summary and results of design and evaluation". 
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The name "MILENAGE" 



The name of this algorithm set is "MILENAGE". It should be pronounced like a French word — something like "mi- 
le-nahj". 



Outline of the document 



Section 2 introduces the algorithms and describes the notation used in the subsequent sections. 

Section 3 explains how the algorithms are designed as a framework in such a way that various "customising 
components" can be selected in order to customise the algorithm for a particular operator. 

Section 4 defines the example algorithms. The algorithm framework is defined in section 4.1; in section 4.2, specific 
instances of the components are selected to define the specific example algorithm set. 

Section 5 explains various options and considerations for implementation of the algorithms, including considerations to 
be borne in mind when modifying the customising components. 

Illustrative pictures are given in Annex 1 . Annex 2 gives a specification of the block cipher algorithm which is used as a 
cryptographic kernel in the definition of the example algorithms. Annexes 3 and 4 contain source code in the C 
programming language: Annex 3 gives a complete and straightforward implementation of the algorithm set, while 
Annex 4 gives an example of an alternative high-performance implementation just of the kernel function. 

1.1 References 

The following documents contain provisions which, through reference in this text, constitute provisions of the present 
document. 

• References are either specific (identified by date of publication, edition number, version number, etc.) or 
non-specific. 

• For a specific reference, subsequent revisions do not apply. 

• For a non-specific reference, the latest version applies. In the case of a reference to a 3GPP document (including 
a GSM document), a non-specific reference implicitly refers to the latest version of that document in the same 
Release as the present document. 

[1] 3GPP TS 33.102 v3.5.0: "3rd Generation Partnership Project; Technical Specification Group 

Services and System Aspects; 3G Security; Security Architecture". 

[2] 3GPP TS 33.105 v3.4.0: "3rd Generation Partnership Project; Technical Specification Group 

Services and System Aspects; 3G Security; Cryptographic Algorithm Requirements". 

[3] 3GPP TS 35.206: "3rd Generation Partnership Project; Technical Specification Group Services 

and System Aspects; 3G Security; Specification of the MILENAGE Algorithm Set: An example 
algorithm set for the 3GPP authentication and key generation functions fl, fl*, f2, G, f4, f5 and 
f5*; Document 2: Algorithm Specification" (this document). 

[4] 3GPP TS 35.207: "3rd Generation Partnership Project; Technical Specification Group Services 

and System Aspects; 3G Security; Specification of the MILENAGE Algorithm Set: An example 
algorithm set for the 3GPP authentication and key generation functions fl, fl*, f2, D, f4, f5 and 
f5*; Document 3: Implementors' Test Data". 

[5] 3GPP TS 35.208: "3rd Generation Partnership Project; Technical Specification Group Services 

and System Aspects; 3G Security; Specification of the MILENAGE Algorithm Set: An example 
algorithm set for the 3GPP authentication and key generation functions fl, fl*, f2, G, f4, f5 and 
f5*; Document 4: Design Conformance Test Data". 
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[6] Joan Daemen and Vincent Rijmen: "AES Proposal: Rijndael", available at 

http://csrc.nist.gov/encrvption/aes/round2/AESAlgs/Riindael/Riindael.pdf or 
http://www.esat.kuleuven.ac.be/~riimen/riindael/riindaeldocV2.zip 

[7] http://csrc.nist.gov/encrvption/aes/ 

[8] Thomas S. Messerges, "Securing the AES finaUsts against Power Analysis Attacks", in FSE 2000, 

Seventh Fast Software Encryption Workshop, ed. Schneier, Springer Verlag, 2000. 

[9] P. C. Kocher, "Timing Attacks on Implementations of Diffie-Hellman, RSA, DSS, and Other 

Systems", in CRYPTO'96, Lecture Notes in Computer Science #1 109, Springer Verlag, 1996. 

[10] J. Kelsey, B. Schneier, D. Wagner, C. Hall, "Side Channel Cryptanalysis of Product Ciphers", in 

ESORICS'98, Lecture Notes in Computer Science #1485, Springer Verlag, 1998. 

[11] L. Goubin, J. Patarin, "DES and differential power analysis", in CHES'99, Lecture Notes in 

Computer Science #1717, Springer Verlag, 1999. 

[12] P. Kocher, J. Jaffe, B. Jun, "Differential Power Analysis", in CRYPTO'99, Lecture Notes in 

Computer Science #1666, Springer Verlag, 1999. 

[13] L. Goubin, J.-S. Coron, "On boolean and arithmetic masking against differential power analysis", 

in CHES'OO, Lecture Notes in Computer Science series. Springer Verlag (to appear). 



INTRODUCTORY INFORMATION 



2.1 Introduction 

Within the security architecture of the 3GPP system there are seven security functions/7, /7*,/2,/5,/4,/5 and/5*. 
The operation of these functions falls within the domain of one operator, and the functions are therefore to be specified 
by each operator rather than being fully standardised. The algorithms specified in this document are examples that may 
be used by an operator who does not wish to design his own. 

The inputs and outputs of all seven algorithms are defined in section 2.4. 

2.2 Notation 

2.2.1 Radix 

We use the prefix Ox to indicate hexadecimal numbers. 

2.2.2 Conventions 

We use the assignment operator '=', as used in several programming languages. When we write 

<variable> = <expression> 
we mean that <variable> assumes the value that <expression> had before the assignment took place. For instance, 

x = X + y + 3 
means 

(new value of x) becomes (old value of x) + (old value of y) + 3. 

2.2.3 Bit/Byte ordering 

All data variables in this specification are presented with the most significant bit (or byte) on the left hand side and the 
least significant bit (or byte) on the right hand side. Where a variable is broken down into a number of substrings, the 
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leftmost (most significant) substring is numbered 0, the next most significant is numbered 1, and so on through to the 
least significant. 



2.2.4 List of Symbols 



e 
II 

E[x]k 
rot(x,r) 



X[i] 



The assignment operator. 

The bitwise exclusive-OR operation 

The concatenation of the two operands. 

The result of applying a block cipher encryption to the input value x using the key k. 

The result of cyclically rotating the 128-bit value x by r bit positions towards the most significant 

bit. If X = x[0] II x[l] II ... x[127], and y = rot(x,r), 

then y = x[r] II x[r+l] II ... x[127] II x[0] II x[l] II x[r-l]. 



The i" bit of the variable X. (X = X[0] II X[l] II X[2] 



). 



2.3 List of Variables 

AK a 48-bit anonymity key that is the output of either of the functions /5 and/5*. 

AMF a 16-bit authentication management field that is an input to the functions/7 and/7*. 

cl,c2,c3,c4,c5 128-bit constants, which are XORed onto intermediate variables. 

CK a 128-bit confidentiality key that is the output of the function/?. 

IK a 128-bit integrity key that is the output of the function/4. 

INI a 128 -bit value constructed from SQN and AMF and used in the computation of the functions /7 

and/7*. 
K a 128-bit subscriber key that is an input to the f mictions f 1, f 1 *, f2,f 3, f 4, f 5 and/5*. 

MAC- A a 64-bit network authentication code that is the output of the function/7. 

MAC-S a 64-bit resynchronisation authentication code that is the output of the function/7*. 

OP a 128-bit Operator Variant Algorithm Configuration Field that is a component of the functions/7, 

/7*,^,/5,/4,/5 and/5* 
OPc a 128-bit value derived from OP and K and used within the computation of the functions. 

OUTl,OUT2,OUT3,OUT4,OUT5 

128-bit computed values from which the outputs of the functions /7,/7*,/2,/5,/4,/5 and /J* are 

obtained. 
rl,r2,r3,r4,r5 integers in the range 0-127 inclusive, which define amounts by which intermediate variables are 

cyclically rotated. 
RAND a 128-bit random challenge that is an input to the functions /7,/7*,/2,/5,/4,/5 and/5*. 

RES a 64-bit signed response that is the output of the functiony2. 

SQN a 48-bit sequence number that is an input to either of the functions /7 and/7*. (For/7* this input 

is more precisely called SQNms) 
TEMP a 128-bit value used within the computation of the functions. 

2.4 Algorithm Inputs and Outputs 

The inputs to the algorithms are given in tables 1 and 2, the outputs in tables 3-9 below. 

Table 1 : inputs to f1 and f1 * 



Parameter 


Size (bits) 


Comment 


K 


128 


Subscriber key K[0]...K[127] 


RAND 


128 


Random challenge RAND[0]...RAND[127] 


SQN 


48 


Sequence number SQN[0]...SQN[47]. (For fr*this input is 
more precisely called SQNms-) 


AMF 


16 


Authentication management field AMF[0]...AMF[15] 



Table 2: inputs to f2, f3, f4, ^5 and f5* 



Parameter 


Size (bits) 


Comment 


K 


128 


Subscriber key K[0]...K[127] 


RAND 


128 


Random challenge RAND[0]...RAND[127] 
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Tables: f/ output 



Parameter 


Size (bits) 


Comment 


MAC-A 


64 


Network authentication code IVIAC-A[0] . . . IVIAC 


-A[63] 


Table 4: ^r output 


Parameter 


Size (bits) 


Comment 


MAC-S 


64 


Resyncli authentication code IVIAC-S[0]... IVIAC 


-S[631 1 


Tables, e output 


Parameter 


Size (bits) 


Comment 


RES 


64 


Response RES[0]...RES[63] 


Table 6. f3 output 


Parameter 


Size (bits) 


Comment 


CK 


128 


Confidentiality key CK[0] . . . CK[1 27] 


Table 7. f4 output 


Parameter 


Size (bits) 


Comment 


IK 


128 


Integrity key IK[0]...IK[127] 


Table 8. f5 output 


Parameter 


Size (bits) 


Comment 


AK 


48 


Anonymity key AK[0]...AK[47] 


Tables. ^5* output 


Parameter 


Size (bits) 


Comment 


AK 


48 


Resynch anonymity key AK[0]...AK[47] 



Note: Both f5 and f5* outputs are called AK according to reference [2]. In practice only one of them will be calculated 
in each instance of the authentication and key agreement procedure. 



3 The algorithm framework and the specific example 

algorithms 

The example algorithm set makes use of the following components: 

A block cipher encryption function, which takes a 128-bit input and a 128-bit key and returns a 128-bit output. 
If the input is x, the key is k and the output is y, we write y = E[x]ii. 

A 128-bit value OP. This is an Operator Variant Algorithm Configuration Field, which the Task Force was 
asked to include as a simple means to provide separation between the functionality of the algorithms when used 
by different operators. It is left to each operator to select a value for OP. The algorithm set is designed to be 
secure whether or not OP is publicly known; however, operators may see some advantage in keeping their value 
of OP secret. This and other aspects of the use of OP are discussed further in section 5. 

In the specific example algorithm set, a particular block cipher is used. But the algorithms have been designed so that 
this component can be replaced by any operator who wishes to create his own customised algorithm set. In that sense 
this document defines an algorithm framework, and the example algorithm set is one that fits within the framework. 
This is how the algorithm set is defined in section 4: in section 4. 1 the framework is defined in terms of the block 
cipher, and then in section 4.2 a block cipher is selected to give a fully specified algorithm set. 
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Definition of the example algorithms 



4.1 Algorithm Framework 

A 128-bit value OPc is derived from OP and K as follows: 

oPc = OP e e[op]k. 

An intermediate 128-bit value TEMP is computed as follows: 

TEMP = E[RAND ® OPcIk- 

A 128-bit value INI is constructed as follows: 
IN1[0] .. IN1[47] = SQN[0] .. SQN[47] 
IN1[48] .. IN1[63] = AMF[0] .. AMF[15] 
IN1[64] .. IN1[111] = SQN[0] .. SQN[47] 
IN1[112] ..IN1[127]=AMF[0] .. AMF[15] 

Five 128-bit constants cl, c2, c3, c4, c5 are defined as follows: 

cl[i]=OforO<i< 127 

c2[i] = for < i < 127, except that c2[127] = 

c3[i] = for < i < 127, except that c3[126] = 

c4[i] = for < i < 127, except that c4[125] = 

c5[i] = for < i < 127, except that c5[124] = 

Five integers rl, r2, r3, r4, r5 are defined as follows: 

rl = 64; r2 = 0; r3 = 32; r4 = 64; r5 = 96 

Five 128-bit blocks OUTl, OUT2, OUT3, OUT4, OUTS are computed as follows: 

OUTl = E[TEMP e rot(INl OPc, rl) ® c1]k ® OPc 
OUT2 = E[rot(TEMPe OPc, r2) c2]k ® OPc 
OUT3 = E[rot(TEMPe OPc, r3) c3]k ® OPc 
OUT4 = E[rot(TEMPe OPc, r4) c4]k ® OPc 
OUTS = E[rot(TEMPe OPc, rS) ® cS]k ® OPc 

The outputs of the various functions are then defined as follows: 

Output of/7 = MAC- A, where MAC-A[0] .. MAC-A[63] = OUT1[0] .. OUTl [63] 
Output of/7* = MAC-S, where MAC-S[0] .. MAC-S[63] = OUTl[64] .. OUTl[127] 
Output of/2 = RES, where RES[0] .. RES[63] = OUT2[64] .. OUT2[127] 
Output of/5 = CK, where CK[0] .. CK[127] = OUT3[0] .. OUT3[127] 
Output of/4 = IK, where IK[0] .. IK[127] = OUT4[0] .. OUT4[127] 
Output of/5 = AK, where AK[0] .. AK[47] = OUT2[0] .. OUT2[47] 
Output of/5* = AK, where AK[0] .. AK[47] = OUTS[0] .. OUTS[47] 

(The repeated reference to AK is not a mistake: AK is the name of the output of either /5 or/5*, and these two functions 
will not in practice be computed simultaneously.) 



4.2 Specific Example Algorithms 



The specific example algorithm set is defined by specifying the block cipher encryption function E[], which we do in 
this section. (It is left to each operator to specify the Operator Variant Algorithm Configuration Field OP.) 

The block cipher selected is Rijndael [6]. This is the algorithm proposed as the Advanced Encryption Standard [7]. 
More precisely, it is Rijndael with 128-bit key and 128-bit block size. 

E[x]i; = the result of applying the Rijndael encryption algorithm 
to the 128 -bit value x under the 128 -bit key k. 
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Although the definitive specification of Rijndael is in [6], a complete specification of Rijndael with 128-bit key and 
128-bit block size is also given in Annex 2 of this document. 

The inputs to and output of Rijndael are defined as strings of bytes. The 128-bit string x = x[0] II x[l] II ... x[127] is 
treated as a string of bytes by taking x[0] II x[l] II ... x[7] as the first byte, x[8] II x[9] II ... x[15] as the second byte, and 
so on. The key and output string are converted in the same way. 

Note that the following patent statement has been made publicly (and included in [6]) by the authors of the Rijndael 
algorithm: "Rijndael or any of its implementations is not and will not be subject to patents." 



5 Implementation considerations 

5.1 OPc computed on or off the USIIVI? 

Recall that OP is an Operator Variant Algorithm Configuration Field. It is expected that each operator will define a 
value of OP which will then be used for all its subscribers. (It is up to operators to decide how to manage OP. The 
value of OP used for new batches of USIMs could be changed occasionally; or perhaps a different value could be given 
to each different USIM supplier. OP could even be given a different value for every subscriber if desired, but that is 
not really the intention.) 

It will be seen in section 4.1 that OPc is computed from OP and K, and that it is only OPc, not OP, that is ever used in 
subsequent computations. This gives two alternative options for implementation of the algorithms on the USIM: 

(a) OPc computed off the USIM: OPc is computed as part of the USIM prepersonalisation process, and OPc is 
stored on the USIM. OP itself is not stored on the USIM. 

(b) OPc computed on the USIM: OP is stored on the USIM (it may be considered as a hard-coded part of the 
algorithm if preferred). OPc is recomputed each time the algorithms are called. 

The SAGE Task Force recommends that OPc be computed off the USIM if possible, since this gives the following 
benefits: 

The complexity of the algorithms run on the USIM is reduced. 

It is more likely that OP can be kept secret. (If OP is stored on the USIM, it only takes one USIM to be reverse 
engineered for OP to be discovered and published. But it should be difficult for someone who has discovered 
even a large number of (OPc, K) pairs to deduce OP. That means that the OPc associated with any other value 
of K will be unknown, which may make it harder to mount some kinds of cryptanalytic and forgery attacks. The 
algorithms are designed to be secure whether or not OP is known to the attacker, but a secret OP is one more 
hurdle in the attacker's path.) 

5.2 Customising the choice of block cipher 

It was explained in section 3 that an operator may create a variant algorithm set by selecting a block cipher other than 
Rijndael. It is vitally important that whatever block cipher is chosen is one that has been extensively analysed and is 
still believed to be secure. The security of the authentication and key generation functions is crucially dependent on the 
strength of the block cipher. 

Strictly speaking, in fact, the kernel function does not have to be a block cipher; it just has to be a keyed function (with 
128-bit input, key and output) satisfying the following cryptographic requirement: 

Let the key be fixed. Without initial knowledge of the key, but with a large number of pairs of chosen input and 
resulting output, it must be infeasible to determine the key, and also infeasible to predict the output for any other 
chosen input with probability significantly greater than 2"'^*. 

See also section 5.4 about protecting against side channel attacks; this will need to be borne in mind when 
selecting/implementing a replacement kernel function. 
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5.3 Further customisation 

If an operator wishes to customise the algorithms still further, a simple approach is to select different values for the 
constants cl-c5 and rl-r5. If this is done, the pairs (ci, ri) must all be different . It must not be the case that both ci = 
cj and ri = rj for i ?* j. For instance, it must not be the case that both c2 = c4 and r2 = r4. Additionally it is 
recommended that the following restrictions are applied: 

cl has even parity. (A 128-bit value has even parity if the number of 'I's in its binary representation is even.) 

c2-c5 all have odd parity. 

5.4 Resistance to side channel attacks 

When these algorithms are implemented on a USIM, consideration should be given to protecting them against side 
channel attacks such as differential power analysis (DPA). [8, 9, 10, 11, 12, 13] may be useful references. 
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Annex 1 : 

Figure of the Algorithms 
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Annex 2: 

Specification of the Block Cipher Algorithm Rijndael 



A2.1 Introduction 



This section provides a specification for the example kernel function. The block cipher used is Rijndael. The complete 
specification of Rijndael is given elsewhere [6]. To quote from [6]: 

"Rijndael is an iterated block cipher with a variable block length and a variable key length. The block length and 
the key length can be independently specified to 128, 192 or 256 bits." 

For 3GPP purpose, Rijndael is used only in encryption mode and has the block and key length both set to 128 bits. For 
the rest of this section, when we refer to Rijndael we mean Rijndael with 128-bit block and key length. This document 
describes a simple byte oriented implementation of the encryption mode of Rijndael. Readers wishing more detail on 
the design of the cipher or implementation speed-ups are referred to the original document [6]. 



A2.2 The State and External Interfaces of Rijndael 

Rijndael is composed of a series of rounds that transform the input into the output. An intermediate result is called the 
State. The State can be pictured as a 4x4 rectangular array of bytes (128 bits in total). The Cipher Key is similarly 
pictured as a 4x4 rectangular array. These representations are illustrated in Figure 1 . 
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Figure 1 : Example of State and Cipher Key layout 

Rijndael takes plaintext bytes Pq, Pi, . . .,Pis and key bytes Ko, Ki, . . .K15 as input and ciphertext bytes Co, Ci, . . ., C15 as 
output. The plaintext bytes are mapped onto the state bytes in the order ao,o, ai,o, ^2,0, ^3,0, ao,i, ai,i, 82,1, 83,1, ■ ■ • and the 
key bytes in the order ko,o, ki^o, k2,o, ^3,0, ko,i, ki^i, k2,i, ks^i,. . .. At the end of the cipher operation, the ciphertext is 
extracted from the State by taking the State bytes in the same order. 

Hence if the one-dimensional index of a byte within a block is n and the two dimensional index is (i, j), we have: 

i = n mod 4; j = LhmJ ; n = i H- 4 * j 
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A2.3 Internal Structure 

Rijndael consists of the following operations: 
an initial Round Key addition 
9 rounds, numbered 1-9, each consisting of 

a byte substitution transformation 

a shift row transformation 

a mix column transformation 

a Round Key addition 
A final round (round 10) consisting of 

a byte substitution transformation 

a shift row transformation 

a Round Key addition 

The component transformations and how the Round Keys are derived from the cipher keys are specified in the 
following subsections. 

A2.4 The Byte Substitution Transformation 

The byte substitution transformation is a non-linear byte substitution, operating on each of the State bytes 
independently. The substitution table (S-box) is given in section A2.9. 

Figure 2 illustrates the effect of the byte substitution transformation on the State. 
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Figure 2: Byte substitution acts on thie individual bytes of the State 

So, for every element of State, we apply the transformation: 

bij = S-box[ ay ] 

Where aij is the initial value of the element in State, 
and bij is the output value of the element in State. 
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A2.5 The Shift Row Transformation 

In the shift row transformation, the rows of the State are cyclically left shifted by different amounts. Row is not 
shifted, row 1 is shifted by 1 byte, row 2 by 2 bytes and row 3 by 3 bytes. 

Figure 3 illustrates the effect of the shift row transformation on the State. 



ao, 



ai,o 



a2, 



a3,o 



ao, 1 



ai, 1 



a2, 1 



as, 1 



ao,2 



ai,2 



a2,2 



as, 2 



ao,3 



ai,3 



a2,3 



as, 3 



No shift 




Cychc left shift by 1 




Cyclic left shift by 2 




Cyclic left shift by 3 




ao, 



ai, 1 



a2,2 



a3,3 



ao, 1 



ai,2 



a2,3 



a3,o 



ao,2 



ai,3 



a2,o 



a3, 1 



ao,3 



ai,o 



a2, 1 



a3,2 



Figure 3: Shift Row operates on the rows of the State 



A2.6 The IVIix Column Transformation 

The mix column transformation operates on each column of the State independently. For column j , we have 



bi 

b2j 

b3 



= T2(a„,j) e T3(ai^|) @ aa^i @ ajj 
= aoj e T2(aij) e T3(a2j) ® ajj 
= aojeaijeT2(a2j)eT3(a3j) 
= T3(a„j) e aij e a2j ® TzCajj) 



where: 



T2(a) = 2*a if a < 128 

or TzCa) = (2*a) ® 283 if a > 128 
and T3(a) = T2(a) a. 



For example: 



If a = 63 then T2(63) = 126; T3(63) = T2(63) 63 = 65 

If a = 143 then T2(143) = 5; T3(143) = T2(143) 143 = 138. 

Figure 4 illustrates the effect of the mix column transformation on the State. 
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Figure 4: Mix Column operates on the columns of the State 



A2.7 The Round Key addition 



In this operation, a Round Key is applied to the State by a simple bitwise exclusive-or. The Round Key is derived from 
the Cipher Key by means of the key schedule. The Round Key length is equal to the block length. 

This transformation is illustrated in Figure 5. 
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Figure 5: In the key addition the Round Key is bitwise XORed to the State 

So, for every element of State, we have: 

bij = aij ® rky 

Where aij is the initial value of the element in State, 

bij is the output value of the element in State, and 
rkij is the round key byte. 



A2.8 Key schedule 



Rijndael has 1 1 Round Keys, numbered 0-10, that are each 4x4 rectangular arrays of bytes. The Round Keys are 
derived from the Cipher Key by means of the key schedule. The initial Round Key (thought of as the zeroth Round 
Key) is formed directly from the cipher key. This zero* Round Key is used unaltered for the initial key addition. The 
remaining Round Keys are used in the ten rounds. Each new round key is derived from the previous round key. Note: It 
is possible to run the key schedule round by round on an "as required" basis and so only use a total of 16 bytes to store 
the Round Key. 

Let rkf ij be the value of the r* Round Key at position ( i, j ) in the array and kj j be the cipher key loaded into a 4x4 
array. 

Intialisation: rko,ij = ky for alii and j. 
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The other Round Keys (r=l to 10 inclusive) are calculated from the previous one as follows. First the column is 
constructed: 

rkr,o,o = rkr.1^0,0 ® S-box[rkr.i^i^3] ® round_const[r] 
rkr,i,o = rkr.1,1,0 ® S-box[rkr.i,2,3] 
rkr,2,o = rkr-1,2,0 © S-box[rkr.i,3,3] 
rkr,3,o = rkr.1,3,0 ® S-box[rkr.i,o,3] 

where round_const[l] = 1 and round_const[r] = T2(round_const[r-l]), and S-box is the previously mentioned byte 
substitution. 

Then the remaining three columns are constructed in turn from the corresponding column of the previous Round Key 
and the previous column of the current Round Key: 

rkr,ij = rkr.i,ij rkr^j.i for 1=0,1,2,3 and j=l,2,3. 

Note: The ten round constants computed from the equations: 

round_const[1] = 1 

round_const[r] = T2(round_const[r-1]) r=2,3...,10 

are: 1, 2, 4, 8, 16, 32, 64, 128, 27, 54. 



A2.9 The Rijndael S-box 

Sbox[256] = { 

99,124,119,123,242,107,111,197, 48, 1,103, 43,254,215,171,118, 

202, 130, 201, 125, 250, 89, 71, 240, 173, 212, 162, 175, 156, 164, 114, 192, 

183,253,147, 38, 54, 63,247,204, 52,165,229,241,113,216, 49, 21, 

4,199, 35,195, 24,150, 5,154, 7, 18,128,226,235, 39,178,117, 

9,131, 44, 26, 27,110, 90,160, 82, 59,214,179, 41,227, 47,132, 

83,209, 0,237, 32,252,177, 91,106,203,190, 57, 74, 76, 88,207, 
208,239,170,251, 67, 77, 51,133, 69,249, 2,127, 80, 60,159,168, 

81,163, 64,143,146,157, 56,245,188,182,218, 33, 16,255,243,210, 
205, 12, 19,236, 95,151, 68, 23,196,167,126, 61,100, 93, 25,115, 

96,129, 79,220, 34, 42,144,136, 70,238,184, 20,222, 94, 11,219, 
224, 50, 58, 10, 73, 6, 36, 92,194,211,172, 98,145,149,228,121, 
231,200, 55,109,141,213, 78,169,108, 86,244,234,101,122,174, 8, 
186,120, 37, 46, 28,166,180,198,232,221,116, 31, 75,189,139,138, 
112, 62,181,102, 72, 3,246, 14, 97, 53, 87,185,134,193, 29,158, 
225,248,152, 17,105,217,142,148,155, 30,135,233,206, 85, 40,223, 
140,161,137, 13,191,230, 66,104, 65,153, 45, 15,176, 84,187, 22} 
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Annex 3: 

Simulation Program Listing - Byte Oriented 



Example algorithms fl, fl*, f2, f3, f4, f5, fS"* 



A sample implementation of the example 3GPP authentication and 
key agreement functions fl, fl*, f2, f3, f4, f5 and f5*. This is 
a byte-oriented implementation of the functions, and of the block 
cipher kernel function Rijndael. 

This has been coded for clarity, not necessarily for efficiency. 

The functions f2, fS, f4 and f5 share the same inputs and have 
been coded together as a single function. fl, fl* and f5* are 
all coded separately. 



typedef unsigned char u8; 



/* Operator Variant Algorithm Configuration Field */ 

/* Insert your value of OP here */ 

u8 OP [16] = (0x63, Oxbf , 0xa5, OxOe, 0xe6, 0x52, 0x33, 0x65, 
Oxff, 0x14, Oxcl, 0xf4, Ox5f, 0x88, 0x73, Ox7d}; 
/* Insert your value of OP here */ 



/* prototypes */ 

void fl ( u8 k[16], u8 rand[16], u8 sqn[6], u8 amf[2], 

u8 mac_a [8] ) ; 
void 12345 ( u8 k[16], u8 rand[16], 

u8 res[8], u8 ck[16], u8 ik[16], u8 ak[6] ) ; 
void flstar( u8 k[16], u8 rand[16], u8 sqn[6], u8 amf[2], 

u8 mac_s [8] ) ; 
void f5star( u8 k[16], u8 rand[16], 

u8 ak[6] ) ; 
void ComputeOPc ( u8 op_c [16] ) ; 
void Ri jndaelKeySchedule ( u8 key [16] ); 
void Ri jndaelEncrypt ( u8 input [16] , u8 output [16] ) ; 



Algorithm fl 



* Computes network authentication code MAC-A from key K, random 

* challenge RAND, sequence number SQN and authentication management 

* field AMF. 

* */ 

void fl ( u8 k[16), u8 rand[16], u8 sqn[6], u8 amf[2], 

u8 mac_a[8] ) 
{ 

u8 op_c [16] ; 

u8 temp[16] ; 

u8 inl[16]; 

u8 outl[16]; 

u8 ri jndaellnput [16] ; 

u8 i; 

Ri jndaelKeySchedule ( k ); 

ComputeOPc ( op_c ) ; 

for (i=0; i<16; i++) 

ri jndaellnput [i] = rand[i] "^ op„c[i]; 
RijndaelEncrypt ( ri jndaellnput, temp ); 
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for (i=0; i<6; i++) 
{ 

inl [i] = sqn [i] ; 

inl [i+8] = sqn[i] ; 
} 

for (1=0; i<2; i++) 
{ 

inl [1+6] = amf [1] ; 

Inl [1+14] = amf [1] ; 



/* XOR op_c and Inl, rotate by rl=64, and XOR * 
* on the constant cl (which Is all zeroes) */ 

for (1=0; 1<16; 1++) 

rl jndaellnput [ (1+8) % 16] = lnl[l] '^ op_c[l]; 

/* XOR on the value temp computed before */ 

for (1=0; 1<16; 1++) 

rl jndaellnput [1] ^= temp[l]; 

Rl jndaelEncrypt ( rl jndaellnput , outl ); 
for (1=0; 1<16; 1++) 
outl[l] '~= op_c[l]; 

for (1=0; 1<8; 1++) 
mac_a[l] = outl[l]; 

return; 

/* end of function fl */ 



Algorithms f2-f5 



* Talces key K and random challenge RAND, and returns response RES, 

* confidentiality key CK, Integrity key IK and anonymity key AK. 

void f2345 ( u8 k[16], u8 rand[16], 

u8 res[8], u8 ck[16], u8 lk[16], u8 ak[6] ) 
{ 

u8 op_c [16] ; 

u8 temp[16] ; 

u8 out [16]; 

u8 rl jndaellnput [16] ; 

u8 1; 

Rl jndaelKeySchedule ( k ); 

ComputeOPc ( op_c ) ; 

for (1=0; 1<16; 1++) 

rl jndaellnput [1] = rand[l] ^ op_c[l]; 
Rl jndaelEncrypt ( rl jndaellnput , temp ); 

/* To obtain output block 0UT2: XOR OPc and TEMP, * 

* rotate by r2=0, and XOR on the constant c2 (which * 

* is all zeroes except that the last bit is 1) . */ 

for (1=0; 1<16; 1++) 

rl jndaellnput [1] = temp[i] '^ op_c[i]; 
rl jndaellnput [15] ^= 1; 



Rl jndaelEncrypt ( rl jndaellnput , out ); 
for (1=0; 1<16; 1++) 



out [1] 



op_c [ 1 ] 



for (1=0; 1<8; 1++) 
res [1] = out [1+8] , 

for (1=0; 1<6; 1++) 
ak [1] = out [1] ; 



/* To obtain output block 0UT3: XOR OPc an 



id TEMP, 
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* rotate by r3=32, and XOR on the constant c3 (which * 

* is all zeroes except that the next to last bit is 1) . */ 

for (1=0; i<16; 1++) 

ri jndaellnput [ (1+12) % 16] = temp[i] '^ op_c[i]; 
ri jndaellnput [15] ^= 2; 

Ri jndaelEncrypt ( ri jndaellnput , out ) ; 
for (1=0; i<16; 1++) 
out[i] '"= op_c[i]; 

for (1=0; i<16; 1++) 
ck [1] = out [1] ; 

/* To obtain output bloclc 0UT4 : XOR OPc and TEMP, * 

* rotate by r4=64, and XOR on the constant c4 (which * 

* is all zeroes except that the 2nd from last bit is 1) . */ 

for (1=0; i<16; 1++) 

ri jndaellnput [ (1+8) % 16] = temp[i] ^ op_c[i]; 
ri jndaellnput [15] ^= 4; 

Ri jndaelEncrypt ( ri jndaellnput , out ) ; 
for (1=0; i<16; 1++) 
out[i] ^= op_c[i]; 

for (1=0; i<16; 1++) 
ik[i] = out [1] ; 

return; 
} /* end of function 12345 */ 



Algorithm fl^ 



Computes resynch authentication code MAC-S from key K, random 
challenge RAND, sequence number SQN and authentication management 
field AMF. 



void flstar( u8 k[16], u8 rand[16], u8 sqn[6], u8 amf[2], 

u8 mac_s [8] ) 
{ 

u8 op_c [16] ; 

u8 temp[16] ; 

u8 inl[16]; 

u8 outl[16]; 

u8 ri jndaellnput [ 16] ; 

u8 1; 

Ri jndaelKeySchedule ( k ); 

ComputeOPc ( op_c ) ; 

for (1=0; i<16; 1++) 

ri jndaellnput [1] = rand[i] '^ op_c[i]; 
Ri jndaelEncrypt ( ri jndaellnput , temp ); 

for (1=0; i<6; 1++) 
{ 

inl [1] = sqn [1] ; 

inl [1+8] = sqn[i] ; 
} 

for (1=0; i<2; 1++) 
{ 

inl [1 + 6] = amf [1] ; 

inl [1+14] = amf [1] ; 



/* XOR op„c and inl, rotate by rl=64, and XOR * 
* on the constant cl (which is all zeroes) */ 

for (1=0; i<16; 1++) 

ri jndaellnput [ (1+8) % 16] = inl[i] ^ op_c[i]; 
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/* XOR on the value temp computed before */ 

for (1=0; 1<16; 1++) 

rl jndaellnput [1] ^= temp[l]; 

Rl jndaelEncrypt ( rl jndaellnput ^ outl ); 
for (1=0; 1<16; 1++) 
outl[l] ^= op_c[l]; 

for (1=0; 1<8; 1++) 
mac_s[l] = outl [1+8]; 

return; 
} /* end of function flstar */ 



Algorithm 15* 



Takes key K and random challenge RAND, and returns resynch 
anonymity key AK. 



void f5star( u8 k[16], u8 rand[16], 

u8 ak[6] ) 
{ 

u8 op_c [16] ; 

u8 temp[16] ; 

u8 out [16]; 

u8 rl jndaellnput [16] ; 

u8 1; 

Rl jndaelKeySchedule ( k ); 

ComputeOPc ( op_c ) ; 

for (1=0; 1<16; 1++) 

rl jndaellnput [1] = rand[l] ^ op_c[l]; 
Rl jndaelEncrypt ( rl jndaellnput , temp ); 

/* To obtain output block OUTS: XOR OPc and TEMP, * 

* rotate by r5=96, and XOR on the constant c5 (which * 

* Is all zeroes except that the 3rd from last bit Is 1) . */ 

for (1=0; 1<16; 1++) 

rl jndaellnput [ (1+4) % 16] = temp[l] ^ op_c[l]; 
rl jndaellnput [15] ^= 8; 

Rl jndaelEncrypt ( rl jndaellnput , out ); 
for (1=0; 1<16; 1++) 
out[l] '"= op_c[l]; 

for (1=0; 1<6; 1++) 
ak [1] = out [1] ; 

return; 
} /* end of function fSstar */ 



Function to compute OPc from OP and K. Assumes key schedule has 
already been performed. 



void ComputeOPc ( u8 op„c[16] ) 



Rl jndaelEncrypt ( OP, op_c ) ; 
for (1=0; 1<16; 1++) 
op_c [1] ^= OP [1] ; 

return; 
} /* end of function ComputeOPc */ 
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/* 

u8 roundKeys [11] [4] [4] ; 



Rijndael round subkeys 



I* — 
u8 S[ 

99,1 

202, 1 

183,2 

4, 1 

9, 1 

83,2 
208,2 

81,1 
205, 

96,1 
224, 
231,2 
186,1 
112, 
225,2 
140, 1 

}; 



Rijndael S box table 



256] = 
24, 119, 
30,201, 
53, 147, 
99, 35, 
31, 44, 
09, 0, 
39, 170, 
63, 64, 



12, 
29, 

50, 



19, 
79, 
58, 



00, 55, 
20, 37, 
62, 181, 
48, 152, 
61, 137, 



{ 

123, 

125, 

38, 
195, 

26, 
237, 
251, 
143, 
236, 
220, 

10, 
109, 

46, 
102, 

17, 

13, 



242, 107, 

250, 89, 

54, 63, 

24. 150, 
27, 110, 
32,252, 
67, 77, 

146, 157, 

95. 151, 
34, 42, 
73, 6, 

141,213, 

28, 166, 

72, 3, 

105,217, 

191,230, 



111, 
71, 

247, 

5, 

90, 

177, 
51, 
56, 
68, 

144, 
36, 
78, 

180, 

246, 

142, 
66, 



197, 
240, 
204, 
154, 
160, 

91, 
133, 
245, 

23, 
136, 

92, 
169, 
198, 

14, 
148, 
104, 



48, 
173, 

52, 
7, 

82, 
106, 

69, 
188, 
196, 

70, 
194, 
108, 
232, 

97, 
155, 

65, 



1, 

212, 

165, 

18, 

59, 

203, 

249, 

182, 

167, 

238, 

211, 

86, 

221, 

53, 

30, 

153, 



103, 
162, 
229, 
128, 
214, 
190, 
2, 
218, 
126, 
184, 
172, 
244, 
116, 

87, 
135, 

45, 



43, 

175, 

241, 

226, 

179, 

57, 

127, 

33, 

61, 

20, 

98, 

234, 

31, 

185, 

233, 

15, 



254, 

156, 

113, 

235, 

41, 

74, 

80, 

16, 

100, 

222, 

145, 

101, 

75, 

134, 

206, 

176, 



215, 

164, 

216, 

39, 

227, 

76, 

60, 

255, 

93, 

94, 

149, 

122, 

189, 

193, 

85, 

84, 



171, 118, 

114, 192, 

49, 21, 

178, 117, 

47, 132, 

88,207, 

159, 168, 

243,210, 

25, 115, 

11,219, 

228, 121, 

174, 8, 

139, 138, 

29, 158, 

40,223, 

187, 22, 



I* — 

u8 Xt 

0, 

32, 

64, 

96, 
128, 1 
160, 1 
192, 1 
224,2 

27, 

59, 

91, 
123, 1 
155, 1 
187, 1 
219,2 
251,2 



ime [ 

2, 
34, 
66, 
98, 1 
30,1 
62, 1 
94, 1 
26,2 
25, 
57, 
89, 
21, 1 
53, 1 
85, 1 
17,2 
49,2 



Thi 
256] 

4, 
36, 
68, 
00, 1 
32, 1 
64, 1 
96, 1 
28,2 
31, 
63, 
95, 
27, 1 
59, 1 
91,1 
23,2 
55,2 



s array 

= { 

6, 8, 
38, 40, 
70, 72, 
02, 104, 
34, 136, 
66, 168, 
98,200, 
30,232, 
29, 19, 
61, 51, 
93, 83, 
25, 115, 
57, 147, 
89, 179, 
21,211, 
53,243, 



does the multiplication by x in GF(2'^8) 



10, 

42, 

74, 
106, 1 
138,1 
170, 1 
202,2 
234,2 

17, 

49, 

81, 
113, 1 
145, 1 
177, 1 
209,2 
241,2 



14 

46 

78 

110 

142 

174 

206 

238 

21 

53 

85 

117 

149 

181 

213 

245 



16, 

48, 

80, 

112, 

144, 

176, 

208, 

240, 

11, 

43, 

75, 

107, 

139, 

171, 

203, 

235, 



18, 

50, 

82, 

114, 

146, 

178, 

210, 

242, 

9, 

41, 

73, 

105, 

137, 

169, 

201, 

233, 



20, 22, 

52, 54, 

84, 86, 

116, 118, 

148, 150, 

180, 182, 

212,214, 

244,246, 

15, 13, 

47, 45, 

79, 77, 

111, 109, 

143, 141, 

175, 173, 

207,205, 

239,237, 



24, 

56, 

88, 

120, 

152, 

184, 

216, 

248, 

3, 

35, 

67, 

99, 

131, 

163, 

195, 

227, 



26, 

58, 

90, 

122, 

154, 

186, 

218, 

250, 

1, 

33, 

65, 

97, 

129, 

161, 

193, 

225, 



28, 30, 

60, 62, 

92, 94, 

124, 126, 

156, 158, 

188, 190, 

220,222, 

252,254, 

7, 5, 

39, 37, 

71, 69, 

103, 101, 

135, 133, 

167, 165, 

199, 197, 

231,229 



Rijndael key schedule function. Takes 16-byte key and creates 
all Rijndael 's internal subkeys ready for encryption. 



void Ri jndaelKeySchedule ( u8 key [16] ) 
{ 

u8 roundConst; 

int i, j; 

/* first round key equals key */ 
for (i=0; i<16; i++) 

roundKeys [0] [i & 0x03] [i»2] = key[i]i 

roundConst = 1; 



/* now calculate round keys */ 

for (i=l; i<ll; i++) 

{ 

roundKeys [i] [0] [0] = S [roundKeys [i-1] [1] [3] 

" roundKeys [i-1] [0] [0] 

roundKeys [i] [1] [0] = S [roundKeys [i-1] [2] [3] 

" roundKeys [i-1] [1] [0] 

roundKeys [i] [2] [0] = S [roundKeys [i-1 ] [3 ] [3 ] 

" roundKeys [i-1] [2] [0] 

roundKeys [i] [3] [0] = S [roundKeys [i-1] [0] [3] 

" roundKeys [i-1] [3] [0] 



roundConst; 



for (j=0; j<4; j++) 

{ 

roundKeys [i] [j] [1] = roundKeys [i-1] 
roundKeys [i] [j] [2] = roundKeys [i-1] 
roundKeys [i] [ j ] [3] = roundKeys [i-1] 



i] [1 


j] [2 


j] [3 



roundKeys [i] [j] [0] 
roundKeys [i] [j] [1] 
roundKeys [i] [j] [2] 
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/* update round constant */ 
roundConst = Xtime [roundConst ] ; 



return; 
} /* end of function Ri jndaelKeySchedule */ 



/* Round key addition function */ 

void KeyAdd(u8 state[4][4], u8 roundKeys [11] [4] [4] , int round) 

{ 

int i, j; 

for (i=0; i<4; i++) 
for (j=0; j<4; j++) 

state [i] [j] ^= roundKeys [round] [i] [j]; 

return; 



/* Byte substitution transformation */ 

int ByteSub(u8 state [4] [4]) 

{ 

int i, j; 

for (i=0; i<4; i++) 
for (j=0; j<4; j++) 

state[i] [j] = S[state[i] [j] ]; 

return 0; 



/* Row shift transformation */ 
void ShiftRow(u8 state[4][4]) 
{ 

u8 temp; 



/* left rotate row 1 by 1 
temp = state [1] [0] ; 
state[l] [0] = state[l] [1] 
state[l] [1] = state[l] [2] 
state[l][2] = state[l][3] 
state [1] [3] = temp; 



/* left rotate row 2 by 2 ■ 
temp = state [2] [0] ; 
state[2][0] = state[2][2]; 
state [2] [2] = temp; 
temp = state [2] [1]; 
state[2][l] = state[2][3]; 
state [2] [3] = temp; 



/* left rotate row 3 by 3 
temp = state [3] [0] ; 
state[3][0] = state[3][3] 
state[3][3] = state[3][2] 
state[3][2] = state[3][l] 
state [3] [1] = temp; 



return; 



/* MixColumn transformation*/ 
void MixColumn (u8 state [4] [4]) 



u8 temp, tmp, tmpO; 
int i; 



/* do one column at a time */ 

for (1=0; i<4;i++) 

{ 

temp = state[0][i] " state[l][i] 

tmpO = state [0] [i] ; 



state[2] [i] 



state[3] [i] 
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/* Xtime array does multiply by x in GF2'^8 */ 
tmp = Xtime [state [0] [i] " state [1] [i] ] ; 
state [0] [i] ^= temp ^ tmp; 

tmp = Xtime [state [1] [i] " state [2] [i] ] ; 
state [1] [i] ^= temp ^ tmp; 

tmp = Xtime [state [2] [i] " state [3] [i] ] ; 
state [2] [i] ^= temp ^ tmp; 

tmp = Xtime [state [3] [i] ^ tmpO]; 
state [3] [i] ^= temp ^ tmp; 



return; 
} 



/* 

* Rijndael encryption function. Takes 16-byte input and creates 

* 16-byte output (using round keys already derived from 16-byte 

* key) . 

* */ 

void RijndaelEncrypt ( u8 input [16], u8 output [16] ) 
{ 

u8 state [4] [4] ; 

int i, r; 

/* initialise state array from input byte string */ 
for (1=0; i<16; i++) 

state[i & 0x3] [i>>2] = input[i]; 

/* add first round_key */ 
KeyAdd (state, roundKeys, 0); 

/* do lots of full rounds */ 

for (r=l; r<=9; r++) 

{ 

ByteSub (state) ; 

ShiftRow (state) ; 

MixColumn (state) ; 

KeyAdd (state, roundKeys, r) ; 



/* final round */ 

ByteSub (state) ; 

ShiftRow (state) ; 

KeyAdd (state, roundKeys, r) ; 

/* produce output byte string from state array */ 

for (1=0; i<16; 1++) 

{ 

output[i] = state[i & 0x3] [i»2]; 



return; 
} /* end of function RijndaelEncrypt */ 
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Annex 4: 

Rijndael Listing - 32-Bit Word Oriented 



Rijndael Implementation 



* A sample 32-bit orientated implementation of Rijndael, the 

* suggested kernel for the example 3GPP authentication and key 

* agreement functions. 

* This implementation draws on the description in section 5.2 of 

* the AES proposal and also on the implementation by 

* Dr B. R. Gladman <brg@gladman . uk . net> 9th October 2000. 

* It uses a number of large (4k) lookup tables to implement the 

* algorithm in an efficient manner. 

* Note: in this implementation the State is stored in four 32-bit 

* words, one per column of the State, with the top byte of the 

* column being the _least_ significant byte of the word. 

* */ 

#define LITTLE_ENDIAN /* For INTEL architecture */ 



typedef unsigned char u8; 
typedef unsigned int u32; 

/* Circular byte rotates of 32 bit values */ 

#define rotl (x) ( (x << 8) I (x >> 24)) 
#define rot2 (x) ( (x << 16) \ (x >> 16)) 
#define rot3 (x) ( (x << 24) | (x » 8)) 

/* Extract a byte from a 32-bit u32 */ 

#define byteO (x) ((u8)(x)) 

#define bytel (x) ((u8)(x >> 8)) 

#define byte2 (x) ((u8) (x >> 16)) 

#define byte3 (x) ((u8) (x >> 24)) 



/* Put or get a 32 bit u32 (v) in machine order from a byte * 
* address in (x) */ 

#ifdef LITTLE_ENDIAN 

#define u32_in(x) (*(u32*)(x)) 
#define u32_out(x,y) (*(u32*)(x) = y) 

#else 

/* Invert byte order in a 32 bit variable */ 

inline u32 byte_swap (const u32 x) 

return rotl(x) & OxOOffOOff | rot3 (x) & OxffOOffOO; 

inline u32 u32_in(const u8 x[]) 

return byte_swap ( * (u32* ) x) ; 

inline void u32__out (u8 x[], const u32 v) 

*(u32*)x = byte_swap (v) ; 

#endif 

/* The lookup tables 

static u32 rnd_con[10] = 
{ 
0x01, 0x02, 0x04, 0x08, 0x10, 0x20, 0x40, 0x80, OxlB, 0x36 
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); 



static u32 ft_tab[4] [256] 



{ 

0xA56363C6 

0x50303060 

0x45CACA8F 

0xECADAD41 

OxC2B7B775 

0x5C343468 

0x0C040408 

0x0907070E 

0xlB090912 

0xF65252A4 

0xF55353A6 

0xBE6A6AD4 

0x6BD0D0BB 

0xCF45458A 

0xF35151A2 

0xDFBCBC63 

0x4CCDCD81 

0x57C4C493 

0xA06060C0 

0xCA46468C 

0x3BE0E0DB 

0x5DC2C29F 

0x32E7E7D5 

0xB46C6CD8 

0xD5BABA6F 

0x23E8E8CB 

0x907070E0 

0xA36161C2 

0x38ElElD9 

0xB69B9B2D 

0x8F8C8C03 

0xC3414182 



0x847C7CF8 
0x03010102 
0x9D82821F 
0x67D4D4B3 
OxlCFDFDEl 
0xF4A5A551 
0x52C7C795 
0x36121224 
0x9E83831D 
0x4D3B3B76 
0x68DlDlB9 
0x46CBCB8D 
Ox2AEFEFC5 
0xl0F9F9E9 
0xFEA3A35D 
0xClB6B677 
0xl40C0C18 
OxF2A7A755 
0x98818119 
0x29EEEEC7 
0x56323264 
0x6ED3D3BD 
0x43C8C88B 
0xFA5656AC 
0x887878F0 
0x7CDDDDAl 
0x423E3E7C 
0x5F35356A 
0xl3F8F8EB 
Ox221ElE3C 
0xF8AlA159 
0xB0999929 



0x997777EE 
0xA96767CE 
0x40C9C989 
OxFDA2A25F 
0xAE93933D 
0x34E5E5Dl 
0x65232346 
0x9B80801B 
0x742C2C58 
0x61D6D6B7 
0000000000 
0xD9BEBE67 
OxE5AAAA4F 
0x06020204 
0xC0404080 
0x7 5DADAAF 
0x35131326 
0x827E7EFC 
0xD14F4F9E 
0xD3B8B86B 
0x4E3A3A74 
0xEFACAC4 3 
0x5937376E 
0x07F4F4F3 
0x6F25254A 
0x9C7474E8 
OxC4B5B571 
0xF95757AE 
0xB398982B 
0x92878715 
0x80898909 
0x772D2D5A 



0x8D7B7BF6 
0x7D2B2B56 
0x877D7DFA 
OxEAAFAF4 5 
0x6A26264C 
0x08FlFlF9 
0x5EC3C39D 
Ox3DE2E2DF 
0x2ElAlA34 
0xCEB3B37D 
Ox2CEDEDCl 
0x4B393972 
0xl6FBFBED 
0x817F7FFE 
0x8A8F8F05 
0x63212142 
0x2FECECC3 
0x473D3D7A 
0x7FDCDCA3 
0x3C141428 
0xlE0A0A14 
0xA66262C4 
0xB76D6DDA 
Ox25EAEACF 
Ox722E2E5C 
0x211FlF3E 
0xAA6666CC 
0xD0B9B969 
0x33111122 
0x20E9E9C9 
0xl70D0DlA 
OxllOFOFlE 



OxODF2F2FF 
0xl9FEFEE7 
Oxl5FAFAEF 
0xBF9C9C23 
0x5A36366C 
0x937171E2 
0x28181830 
0x2 6EBEBCD 
0x2DlBlB36 
0x7B292952 
0x60202040 
0xDE4A4A94 
0xC5434386 
OxF05050AO 
0xAD92923F 
0x30101020 
0xE15F5FBE 
0xAC6464C8 
0x66222244 
0x79DEDEA7 
0xDB494992 
0xA8919139 
0x8C8D8D01 
0xAF6565CA 
0x241ClC38 
0xDD4B4B96 
0xD8484890 
0x91868617 
0xBB6969D2 
0x49CECE87 
0xDABFBF65 
0xCBB0B07B 



0xBD6B6BD6 
0x62D7D7B5 
0xEB5959B2 
0xF7A4A453 
0x413F3F7E 
0x73D8D8AB 
0xA1969637 
0x6927274E 
0xB26E6EDC 
0x3EE3E3DD 
0xlFFCFCE3 
0xD44C4C98 
0xD74D4D9A 
0x443C3C78 
0xBC9D9D21 
OxlAFFFFE5 
0xA2979735 
OxE75D5DBA 
Ox7E2A2A54 
OxE25E5EBC 
0x0A06060C 
0xA4959531 
0x64D5D5Bl 
0x8E7A7AF4 
0xFlA6A657 
0xDCBDBD61 
0x05030306 
0x58ClC199 
0x70D9D9A9 
OxFF5555AA 
0x31E6E6D7 
0xFC5454A8 



0xB16F6FDE 
0xE6ABAB4D 
0xC947478E 
0x967272E4 
Ox02F7F7F5 
0x53313162 
OxOF05050A 
OxCDB2B27F 
OxEE5A5AB4 
Ox712F2F5E 
0xC8BlB179 
0xE85858B0 
0x55333366 
0xBA9F9F25 
0x48383870 
0x0EF3F3FD 
0xCC444488 
0x2B191932 
0xAB90903B 
0xlD0B0B16 
0x6C242448 
0x37E4E4D3 
0xD24E4E9C 
0xE9AEAE47 
0xC7B4B473 
0x868B8B0D 
0x01F6F6F7 
0x271DlD3A 
0x898E8E07 
0x78282850 
0xC6424284 
0xD6BBBB6D 



0x54C5C591, 
0x9A7676EC, 
OxOBFOFOFB, 
0x5BC0C09B, 
0x4FCCCC83, 
Ox3F15152A, 
0xB59A9A2F, 
0x9F7575EA, 
OxFBAOA05B, 
0x97848413, 
0xED5B5BB6, 
0x4ACFCF85, 
0x94858511, 
0xE3A8A84B, 
Ox04F5F5Fl, 
0x6DD2D2BF, 
0x3917172E, 
0x957373E6, 
0x8388880B, 
0x7 6DBDBAD, 
0xE45C5CB8, 
0x8B7979F2, 
0xE0A9A949, 
0x18080810, 
0x51C6C697, 
0x858A8A0F, 
Oxl20EOElC, 
0xB99E9E27, 
0xA7949433, 
Ox7ADFDFA5, 
0xB86868D0, 
0x3A16162C 



{ 

0x6363C6A5 

0x30306050 

0xCACA8F45 

0xADAD41EC 

0xB7B775C2 

0x3434685C 

0x0404080C 

0x07070E09 

0x0909121B 

0x5252A4F6 

0x5353A6F5 

0x6A6AD4BE 

0xD0D0BB6B 

0x45458ACF 

Ox5151A2F3 

0xBCBC63DF 

0xCDCD814C 

0xC4C49357 

0x6060C0A0 

0x46468CCA 

0xE0E0DB3B 

0xC2C29F5D 

0xE7E7D532 

0x6C6CD8B4 

0xBABA6FD5 

0xE8E8CB23 

0x7070E090 

0x6161C2A3 

0xElElD938 

0x9B9B2DB6 

0x8C8C038F 

0x414182C3 



0x7C7CF884 
0x01010203 
0x82821F9D 
0xD4D4B367 
OxFDFDEllC 
0xA5A551F4 
0xC7C79552 
0x12122436 
0x83831D9E 
0x3B3B764D 
0xDlDlB968 
0xCBCB8D46 
OxEFEFC52A 
0xF9F9E910 
0xA3A35DFE 
0xB6B677Cl 
0x0C0C1814 
0xA7A755F2 
0x81811998 
0xEEEEC729 
0x32326456 
0xD3D3BD6E 
0xC8C88B43 
0x5656ACFA 
0x7878F088 
0xDDDDA17C 
0x3E3E7C42 
0x35356A5F 
0xF8F8EB13 
OxlElE3C22 
0xAlA159F8 
0x999929B0 



0x7777EE99 
0x6767CEA9 
0xC9C98940 
OxA2A25FFD 
0x93933DAE 
0xE5E5D134 
0x23234665 
0x80801B9B 
0x2C2C5874 
0xD6D6B761 
0000000000 
0xBEBE67D9 
OxAAAA4FE5 
0x02020406 
0x404080C0 
OxDADAAF7 5 
0x13132635 
0x7E7EFC82 
0x4F4F9EDl 
0xB8B86BD3 
0x3A3A744E 
0xACAC43EF 
0x37376E59 
0xF4F4F307 
0x25254A6F 
0x7474E89C 
0xB5B571C4 
0x5757AEF9 
0x98982BB3 
0x87871592 
0x89890980 
0x2D2D5A77 



0x7B7BF68D 
0x2B2B567D 
0x7D7DFA87 
OxAFAF45EA 
0x26264C6A 
0xFlFlF908 
0xC3C39D5E 
OxE2E2DF3D 
0xlAlA342E 
0xB3B37DCE 
OxEDEDC12C 
0x3939724B 
0xFBFBED16 
0x7F7FFE81 
0x8F8F058A 
0x21214263 
0xECECC32F 
0x3D3D7A47 
0xDCDCA37F 
0xl414283C 
0x0A0A141E 
0x6262C4A6 
0x6D6DDAB7 
0xEAEACF25 
0x2E2E5C72 
0xlFlF3E21 
0x6666CCAA 
0xB9B969D0 
0x11112233 
0xE9E9C920 
0x0D0DlA17 
OxOFOFlEll 



OxF2F2FFOD 
0xFEFEE719 
OxFAFAEF15 
0x9C9C23BF 
0x36366C5A 
0x7171E293 
0x18183028 
0xEBEBCD2 6 
0xlBlB362D 
0x2929527B 
0x20204060 
0x4A4A94DE 
0x434386C5 
Ox5050AOFO 
0x92923FAD 
0x10102030 
Ox5F5FBEEl 
0x6464C8AC 
0x22224466 
0xDEDEA779 
0x494992DB 
0x919139A8 
0x8D8D018C 
0x6565CAAF 
0xlClC3824 
0x4B4B96DD 
0x484890D8 
0x86861791 
0x6969D2BB 
0xCECE8749 
0xBFBF65DA 
0xB0B07BCB 



0x6B6BD6BD 
0xD7D7B562 
0x5959B2EB 
0xA4A453F7 
0x3F3F7E41 
0xD8D8AB73 
0x969637Al 
0x27274E69 
0x6E6EDCB2 
0xE3E3DD3E 
0xFCFCE31F 
0x4C4C98D4 
0x4D4D9AD7 
0x3C3C7844 
0x9D9D21BC 
OxFFFFE51A 
0x979735A2 
Ox5D5DBAE7 
Ox2A2A547E 
Ox5E5EBCE2 
0x06060C0A 
0x959531A4 
0xD5D5B164 
0x7A7AF48E 
0xA6A657Fl 
0xBDBD61DC 
0x03030605 
0xClC19958 
0xD9D9A970 
Ox5555AAFF 
0xE6E6D731 
0x5454A8FC 



0x6F6FDEBl 
0xABAB4DE6 
0x47478EC9 
0x7272E496 
OxF7F7F502 
0x31316253 
Ox05050AOF 
OxB2B27FCD 
Ox5A5AB4EE 
0x2F2F5E71 
0xBlB179C8 
0x5858B0E8 
0x33336655 
0x9F9F25BA 
0x38387048 
0xF3F3FD0E 
0x444488CC 
0xl919322B 
0x90903BAB 
0x0B0B161D 
0x2424486C 
0xE4E4D337 
0x4E4E9CD2 
0xAEAE47E9 
0xB4B473C7 
0x8B8B0D86 
0xF6F6F701 
0xlDlD3A27 
0x8E8E0789 
0x28285078 
0x424284C6 
0xBBBB6DD6 



0xC5C59154, 
0x7676EC9A, 
OxFOFOFBOB, 
0xC0C09B5B, 
0xCCCC834F, 
Oxl5152A3F, 
0x9A9A2FB5, 
0x7575EA9F, 
OxAOA05BFB, 
0x84841397, 
0x5B5BB6ED, 
0xCFCF854A, 
0x85851194, 
0xA8A84BE3, 
OxF5F5F104, 
0xD2D2BF6D, 
0xl7172E39, 
0x7373E695, 
0x88880B83, 
0xDBDBAD76, 
0x5C5CB8E4, 
0x7979F28B, 
0xA9A949E0, 
0x08081018, 
0xC6C69751, 
0x8A8A0F85, 
OxOEOElC12, 
0x9E9E27B9, 
0x949433A7, 
0xDFDFA57A, 
0x6868D0B8, 
0xl6162C3A 



{ 

0x63C6A563, 0x7CF8847C, 0x77EE9977, 0x7BF68D7B, OxF2FFODF2, 0x6BD6BD6B, 0x6FDEB16F, 0xC59154C5, 
0x30605030, 0x01020301, 0x67CEA967, 0x2B567D2B, 0xFEE719FE, 0xD7B562D7, 0xAB4DE6AB, 0x76EC9A76, 
0xCA8F45CA, 0x821F9D82, 0xC98940C9, 0x7DFA877D, OxFAEF15FA, 0x59B2EB59, 0x478EC947, OxFOFBOBFO, 
0xAD41ECAD, 0xD4B367D4, OxA25FFDA2, OxAF45EAAF, 0x9C23BF9C, 0xA453F7A4, 0x72E49672, 0xC09B5BC0, 
0xB775C2B7, OxFDEllCFD, 0x933DAE93, 0x264C6A26, 0x366C5A36, 0x3F7E413F, OxF7F502F7, 0xCC834FCC, 
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0x34685C34, 
0x04080C04, 
0x070E0907, 
0x09121B09, 
0x52A4F652, 
0x53A6F553, 
0x6AD4BE6A, 
0xD0BB6BD0, 
0x458ACF45, 
Ox51A2F351, 
0xBC63DFBC, 
0xCD814CCD, 
0xC49357C4, 
0x60C0A060, 
0x468CCA46, 
0xE0DB3BE0, 
0xC29F5DC2, 
0xE7D532E7, 
0x6CD8B46C, 
0xBA6FD5BA, 
0xE8CB23E8, 
0x70E09070, 
0x61C2A361, 
0xElD938El, 
0x9B2DB69B, 
0x8C038F8C, 
0x4182C341, 



0xA551F4A5, 
0xC79552C7, 
0x12243612, 
0x831D9E83, 
0x3B764D3B, 
0xDlB968Dl, 
0xCB8D46CB, 
OxEFC52AEF, 
0xF9E910F9, 
0xA35DFEA3, 
0xB677ClB6, 
0x0C18140C, 
OxA755F2A7, 
0x81199881, 
0xEEC729EE, 
0x32645632, 
0xD3BD6ED3, 
0xC88B43C8, 
0x56ACFA56, 
0x78F08878, 
0xDDA17CDD, 
0x3E7C423E, 
0x356A5F35, 
0xF8EB13F8, 
OxlE3C221E, 
0xA159F8Al, 
0x9929B099, 



0xE5D134E5 
0x23466523 
0x801B9B80 
0x2C58742C 
0xD6B761D6 
0000000000 
0xBE67D9BE 
OxAA4FE5AA 
0x02040602 
0x4080C040 
OxDAAF7 5DA 
0x13263513 
0x7EFC827E 
0x4F9ED14F 
0xB86BD3B8 
0x3A744E3A 
0xAC43EFAC 
0x376E5937 
0xF4F307F4 
0x254A6F25 
0x74E89C74 
0xB571C4B5 
0x57AEF957 
0x982BB398 
0x87159287 
0x89098089 
0x2D5A772D 



0xFlF908Fl 
0xC39D5EC3 
OxE2DF3DE2 
0xlA342ElA 
0xB37DCEB3 
OxEDC12CED 
0x39724B39 
0xFBED16FB 
0x7FFE817F 
0x8F058A8F 
0x21426321 
0xECC32FEC 
0x3D7A473D 
0xDCA37FDC 
0xl4283C14 
0x0A141E0A 
0x62C4A662 
0x6DDAB76D 
OxEACF25EA 
Ox2E5C722E 
0xlF3E211F 
0x66CCAA66 
0xB969D0B9 
0x11223311 
0xE9C920E9 
0x0DlA170D 
OxOFlEllOF 



0x71E29371, 
0x18302818, 
0xEBCD26EB, 
0xlB362DlB, 
0x29527B29, 
0x20406020, 
0x4A94DE4A, 
0x4386C543, 
Ox50AOF050, 
0x923FAD92, 
0x10203010, 
Ox5FBEE15F, 
0x64C8AC64, 
0x22446622, 
0xDEA779DE, 
0x4992DB49, 
0x9139A891, 
0x8D018C8D, 
0x65CAAF65, 
0xlC38241C, 
0x4B96DD4B, 
0x4890D848, 
0x86179186, 
0x69D2BB69, 
0xCE8749CE, 
0xBF65DABF, 
0xB07BCBB0, 



0xD8AB73D8, 
0x9637A196, 
0x274E6927, 
0x6EDCB26E, 
0xE3DD3EE3, 
0xFCE31FFC, 
0x4C98D44C, 
0x4D9AD74D, 
0x3C78443C, 
0x9D21BC9D, 
OxFFE51AFF, 
0x9735A297, 
Ox5DBAE75D, 
Ox2A547E2A, 
Ox5EBCE25E, 
0x060C0A06, 
0x9531A495, 
0xD5B164D5, 
0x7AF48E7A, 
0xA657FlA6, 
0xBD61DCBD, 
0x03060503, 
0xC19958Cl, 
0xD9A970D9, 
Ox55AAFF55, 
0xE6D731E6, 
0x54A8FC54, 



0x31625331 
Ox050AOF05 
OxB27FCDB2 
Ox5AB4EE5A 
Ox2F5E712F 
0xB179C8Bl 
0x58B0E858 
0x33665533 
0x9F25BA9F 
0x38704838 
0xF3FD0EF3 
0x4488CC44 
0xl9322B19 
0x903BAB90 
0x0B161D0B 
0x24486C24 
0xE4D337E4 
0x4E9CD24E 
0xAE47E9AE 
0xB473C7B4 
0x8B0D868B 
0xF6F701F6 
0xlD3A271D 
0x8E07898E 
0x28507828 
0x4284C642 
0xBB6DD6BB 



Oxl52A3F15, 
0x9A2FB59A, 
0x75EA9F75, 
OxA05BFBAO, 
0x84139784, 
0x5BB6ED5B, 
0xCF854ACF, 
0x85119485, 
0xA84BE3A8, 
OxF5F104F5, 
0xD2BF6DD2, 
0xl72E3917, 
0x73E69573, 
0x880B8388, 
0xDBAD7 6DB, 
0x5CB8E45C, 
0x79F28B79, 
0xA949E0A9, 
0x08101808, 
0xC69751C6, 
0x8A0F858A, 
OxOElC120E, 
0x9E27B99E, 
0x9433A794, 
OxDFA57ADF, 
0x68D0B868, 
0xl62C3A16 



{ 

0xC6A56363 

0x60503030 

0x8F45CACA 

0x41ECADAD 

Ox75C2B7B7 

0x685C3434 

0x080C0404 

0x0E090707 

0xl21B0909 

0xA4F65252 

0xA6F55353 

0xD4BE6A6A 

0xBB6BD0D0 

0x8ACF4545 

OxA2F35151 

0x63DFBCBC 

0x814CCDCD 

0x9357C4C4 

0xC0A06060 

0x8CCA4646 

0xDB3BE0E0 

0x9F5DC2C2 

0xD532E7E7 

0xD8B46C6C 

0x6FD5BABA 

0xCB23E8E8 

0xE0907070 

0xC2A36161 

0xD938ElEl 

0x2DB69B9B 

0x038F8C8C 

0x82C34141 



0xF8847C7C 
0x02030101 
0xlF9D8282 
0xB367D4D4 
OxEllCFDFD 
Ox51F4A5A5 
0x9552C7C7 
0x24361212 
0xlD9E8383 
0x764D3B3B 
0xB968DlDl 
0x8D46CBCB 
OxC52AEFEF 
0xE910F9F9 
0x5DFEA3A3 
0x77ClB6B6 
0xl8140C0C 
0x55F2A7A7 
0x19988181 
0xC729EEEE 
0x64563232 
0xBD6ED3D3 
0x8B43C8C8 
0xACFA5656 
0xF0887878 
OxA17CDDDD 
0x7C423E3E 
0x6A5F3535 
0xEB13F8F8 
Ox3C221ElE 
0x59F8AlAl 
0x29B09999 



0xEE997777 
0xCEA96767 
0x8940C9C9 
Ox5FFDA2A2 
0x3DAE9393 
0xD134E5E5 
0x46652323 
0xlB9B8080 
0x58742C2C 
0xB761D6D6 
0000000000 
0x67D9BEBE 
Ox4FE5AAAA 
0x04060202 
0x80C04040 
OxAF7 5DADA 
0x26351313 
0xFC827E7E 
0x9ED14F4F 
0x6BD3B8B8 
0x744E3A3A 
0x4 3EFACAC 
0x6E593737 
0xF307F4F4 
0x4A6F2525 
0xE89C7474 
Ox71C4B5B5 
0xAEF95757 
0x2BB39898 
0x15928787 
0x09808989 
0x5A772D2D 



0xF68D7B7B 
0x567D2B2B 
0xFA877D7D 
Ox45EAAFAF 
0x4C6A2626 
0xF908FlFl 
0x9D5EC3C3 
OxDF3DE2E2 
0x342ElAlA 
0x7DCEB3B3 
OxC12CEDED 
0x724B3939 
0xED16FBFB 
0xFE817F7F 
0x058A8F8F 
0x42632121 
0xC32FECEC 
0x7A473D3D 
0xA37FDCDC 
0x283C1414 
0xl41E0A0A 
0xC4A66262 
0xDAB76D6D 
0xCF25EAEA 
0x5C722E2E 
0x3E211FlF 
0xCCAA6666 
0x69D0B9B9 
0x22331111 
0xC920E9E9 
0xlA170D0D 
OxlEllOFOF 



OxFFODF2F2 
0xE719FEFE 
OxEF15FAFA 
0x23BF9C9C 
0x6C5A3636 
0xE2937171 
0x30281818 
0xCD2 6EBEB 
0x362DlBlB 
0x527B2929 
0x40602020 
0x94DE4A4A 
0x86C54343 
OxAOF05050 
0x3FAD9292 
0x20301010 
OxBEE15F5F 
0xC8AC6464 
0x44662222 
0xA779DEDE 
0x92DB4949 
0x39A89191 
0x018C8D8D 
0xCAAF6565 
0x38241ClC 
0x96DD4B4B 
0x90D84848 
0x17918686 
0xD2BB6969 
0x8749CECE 
0x65DABFBF 
0x7BCBB0B0 



0xD6BD6B6B 
0xB562D7D7 
0xB2EB5959 
0x53F7A4A4 
0x7E413F3F 
0xAB73D8D8 
0x37A19696 
0x4E692727 
0xDCB26E6E 
0xDD3EE3E3 
0xE31FFCFC 
0x98D44C4C 
0x9AD74D4D 
0x78443C3C 
0x21BC9D9D 
OxE51AFFFF 
0x35A29797 
OxBAE75D5D 
Ox547E2A2A 
OxBCE25E5E 
0x0C0A0606 
0x31A49595 
0xB164D5D5 
0xF48E7A7A 
0x57FlA6A6 
0x61DCBDBD 
0x06050303 
0x9958ClCl 
0xA970D9D9 
0xAAFF5555 
0xD731E6E6 
0xA8FC5454 



0xDEB16F6F 
0x4DE6ABAB 
0x8EC94747 
0xE4967272 
OxF502F7F7 
0x62533131 
OxOAOF0505 
Ox7FCDB2B2 
OxB4EE5A5A 
0x5E712F2F 
0x79C8BlBl 
0xB0E85858 
0x66553333 
0x25BA9F9F 
0x70483838 
0xFD0EF3F3 
0x88CC4444 
0x322B1919 
0x3BAB9090 
0xl61D0B0B 
0x486C2424 
0xD337E4E4 
0x9CD24E4E 
0x47E9AEAE 
0x73C7B4B4 
0x0D868B8B 
0xF701F6F6 
0x3A271DlD 
0x07898E8E 
0x50782828 
0x84C64242 
0x6DD6BBBB 



0x9154C5C5, 
0xEC9A7676, 
OxFBOBFOFO, 
0x9B5BC0C0, 
0x834FCCCC, 
Ox2A3F1515, 
0x2FB59A9A, 
0xEA9F7575, 
Ox5BFBAOAO, 
0x13978484, 
0xB6ED5B5B, 
0x854ACFCF, 
0x11948585, 
0x4BE3A8A8, 
OxF104F5F5, 
0xBF6DD2D2, 
0x2E391717, 
0xE6957373, 
0x0B838888, 
0xAD7 6DBDB, 
0xB8E45C5C, 
0xF28B7979, 
0x49E0A9A9, 
0x10180808, 
0x9751C6C6, 
0x0F858A8A, 
OxlC120EOE, 
0x27B99E9E, 
0x33A79494, 
0xA57ADFDF, 
0xD0B86868, 
0x2C3A1616 



}; 



static u32 fl„tab[4] [256] 



{ 

0x000 

0x000 

0x000 

0x000 

0x000 

0x000 

0x000 

0x000 

0x000 

0x000 

0x000 



00063, 
00030, 
OOOCA, 
OOOAD, 
000B7, 
00034, 
00004, 
00007, 
00009, 
00052, 
00053, 



0x000 
0x000 
0x000 
0x000 
0x000 
0x000 
0x000 
0x000 
0x000 
0x000 
0x000 



0007C, 
00001, 
00082, 
000D4, 
OOOFD, 
000A5, 
000C7, 
00012, 
00083, 
0003B, 
OOODl, 



0x000 
0x000 
0x000 
0x000 
0x000 
0x000 
0x000 
0x000 
0x000 
0x000 
0x000 



00077, 
00067, 
000C9, 
000A2, 
00093, 
000E5, 
00023, 
00080, 
0002C, 
000D6, 
00000, 



0x000 
0x000 
0x000 
0x000 
0x000 
0x000 
0x000 
0x000 
0x000 
0x000 
0x000 



0007B, 
0002B, 
0007D, 
00 OAF, 
00026, 
OOOFl, 
000C3, 
000E2, 
OOOIA, 
000B3, 
OOOED, 



0x000 
0x000 
0x000 
0x000 
0x000 
0x000 
0x000 
0x000 
0x000 
0x000 
0x000 



000F2, 
OOOFE, 
OOOFA, 
0009C, 
00036, 
00071, 
00018, 
OOOEB, 
OOOIB, 
00029, 
00020, 



0x000 
0x000 
0x000 
0x000 
0x000 
0x000 
0x000 
0x000 
0x000 
0x000 
0x000 



0006B, 
000D7, 
00059, 
000A4, 
0003F, 
000D8, 
00096, 
00027, 
0006E, 
000E3, 
OOOFC, 



0x000 
0x000 
0x000 
0x000 
0x000 
0x000 
0x000 
0x000 
0x000 
0x000 
0x000 



0006F, 
OOOAB, 
00047, 
00072, 
000F7, 
00031, 
00005, 
000B2, 
0005A, 
0002F, 
OOOBl, 



0x000 
0x000 
0x000 
0x000 
0x000 
0x000 
0x000 
0x000 
0x000 
0x000 
0x000 



000C5, 
00076, 
OOOFO, 
OOOCO, 
OOOCC, 
00015, 
0009A, 
00075, 
OOOAO, 
00084, 
0005B, 
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0x000000 6A,0x000000CB,0x000000BE, 0x00000039, 0x0000004A,0x0000004C, 0x00000058, OxOOOOOOCF, 
OxOOOOOODO,OxOOOOOOEF,OxOOOOOOAA, OxOOOOOOFB, 0x00000043, 0x0000004D, 0x00000033, 0x00000085, 
0x00000045, 0x000000F9, 0x00000002, OxOOOOOOVF, 0x00000050, 0x0000003C, 0x000000 9F,0x000000A8, 
0x00000051, 0x000000A3, 0x00000040, 0x0000008F, 0x000000 92, 0x000000 9D, 0x00000038, OxOOOOOOF5, 
0x000000BC,0x000000B6,0x000000DA, 0x00000021, 0x00000010, 0x000000FF,0x000000F3,0x000000D2, 
OxOOOOOOCD,OxOOOOOOOC, 0x000000 13, OxOOOOOOEC,Ox0000005F, 0x000000 97, 0x00000044, 0x000000 17, 
0x000000C4,0x000000A7,0x0000007E,0x0000003D, 0x000000 64, Ox0000005D, 0x000000 19, 0x00000073, 
0x000000 60, 0x0000008 l,0x0000004F,0x000000DC, 0x00000022, Ox0000002A, 0x000000 90,0x00000088, 
0x0000004 6, 0x000000EE,0x000000B8, 0x00000014, OxOOOOOODE,Ox0000005E,OxOOOOOOOB,OxOOOOOODB, 
0x000000E0,0x00000032,0x0000003A,0x0000000A, 0x0000004 9,0x0000000 6,0x00000024,0x00000050, 
0x000000C2,0x000000D3,0x000000AC, 0x000000 62, 0x000000 91, 0x000000 95, 0x000000E4, 0x0000007 9, 
0x000000E7,0x000000C8, 0x00000037, 0x000000 6D,0x0000008D,0x000000D5,0x0000004E,0x000000A9, 
0x000000 6C, 0x00000056, 0x000000F4,0x000000EA, 0x000000 65, 0x0000007A,0x000000AE, 0x00000008, 
OxOOOOOOBA, 0x00000078, 0x00000025, Ox0000002E, 0x000000 lC,0x000000A6,0x000000B4,0x000000C6, 
0x000000E8, OxOOOOOODD, 0x00000074, 0x000000 IF, 0x0000004B, OxOOOOOOBD, 0x0000008B, 0x0000008A, 
0x00000070, 0x0000003E,0x000000B5, 0x000000 66, 0x00000048, 0x00000003, 0x000000F6,0x0000000E, 
0x000000 61, 0x00000035, 0x00000057, 0x000000B9, 0x0000008 6, OxOOOOOOCl, 0x000000 ID, 0x000000 9E, 
0x000000El,0x000000F8, 0x000000 98, 0x000000 11, 0x000000 69, 0x000000D9,0x0000008E, 0x000000 94, 
0x000000 9B,0x0000001E, 0x00000087, 0x000000E9, OxOOOOOOCF, 0x00000055, 0x00000028, OxOOOOOODF, 
0x0000008C,0x000000Al, 0x0000008 9, 0x0000000D,0x000000BF,0x000000E6, 0x00000042, 0x000000 68, 
0x0000004 1,0x000000 99, 0x0000002D,0x0000000F,0x000000B0, 0x00000054, OxOOOOOOBB, 0x000000 16 
}, 
{ 

0x0000 6300, 0x00007C00, 0x00007700, 0x00007B00,0x0000F200, 0x0000 6B00, 0x0000 6F00,0x0000C500, 
0x00003000, 0x00000 100, 0x0000 6700, Ox00002BOO,OxOOOOFEOO,OxOOOOD700,OxOOOOABOO, 0x00007 600, 
OxOOOOCAOO, 0x00008200, 0x0000C900,0x00007D00,0x0000FA00, 0x00005900, 0x00004700, OxOOOOFOOO, 
0x0000AD00,0x0000D400,0x0000A200,0x0000AF00,0x0000 9C00,0x0000A400, 0x00007200, OxOOOOCOOO, 
0x0000B700,0x0000FD00, 0x0000 9300, 0x00002 600, 0x00003600, 0x00003F00,0x0000F700,0x0000CC00, 
0x00003400, OxOOOOA500,OxOOOOE500,OxOOOOF100, 0x00007100, 0x0000D800, 0x00003100, 0x00001500, 
0x00000400, 0x00000700,0x00002300, 0x00000300,0x00001800, 0x0000 9600, 0x00000500, 0x0000 9A00, 
0x00000700, 0x00001200, 0x00008000, OxOOOOE200,OxOOOOEBOO, 0x00002700, OxOOOOB200, 0x00007500, 
0x00000 900, 0x00008300, 0x00002000, 0x0000 lAOO, 0x0000 IBOO, 0x0000 6E00,0x00005A00,0x0000A000, 
0x00005200, 0x00003B00,0x0000D600,0x0000B300, 0x00002 900, 0x0000E300,0x00002F00, 0x00008400, 
0x00005300, OxOOOODlOO, 0000000000, OxOOOOEDOO, 0x00002000, OxOOOOFOOO, OxOOOOB100,Ox00005BOO, 
0x0000 6A00,0x0000OB00,0x0000BE00, 0x00003900, 0x00004A00, 0x00004000, 0x00005800, OxOOOOOFOO, 
OxOOOODOOO,OxOOOOEFOO,OxOOOOAAOO,OxOOOOFBOO, 0x00004300, 0x00004D00, 0x00003300, 0x00008500, 
0x00004500, 0x0000F900, 0x00000200, 0x00007F00, 0x00005000, 0x00003000, 0x0000 9F00,0x0000A800, 
0x00005100, 0x0000A300, 0x00004000, 0x00008F00, 0x0000 9200, 0x0000 9D00, 0x00003800, OxOOOOF500, 
0x0000BO00,0x0000B600,0x0000DA00, 0x00002 100, 0x0000 1000, 0x0000FF00,0x0000F300,0x0000D200, 
OxOOOOODOO, 0x00000000,0x0000 1300, OxOOOOFOOO, Ox00005FOO, 0x0000 9700, 0x00004400, 0x0000 1700, 
0x00000400, 0x0000A700,0x00007E00,0x00003D00, 0x0000 6400, Ox00005DOO, 0x0000 1900, 0x00007300, 
0x0000 6000, 0x00008 100, 0x00004F00,0x0000DO00, 0x00002200, Ox00002AOO, 0x0000 9000, 0x00008800, 
0x00004 600, 0x0000EE00,0x0000B800, 0x0000 1400, OxOOOODEOO,Ox00005EOO,OxOOOOOBOO,OxOOOODBOO, 
OxOOOOFOOO, 0x00003200, 0x00003A00,0x00000A00, 0x00004 900, 0x00000 600, 0x00002400, 0x00005000, 
0x00000200, 0x0000D300,0x0000AO00, 0x0000 6200, 0x0000 9100, 0x0000 9500, 0x0000F400, 0x00007 900, 
0x0000F700, 0x00000800, 0x00003700, 0x0000 6D00,0x00008D00,0x0000D500,0x00004F00,0x0000A900, 
0x0000 6000, 0x00005600, 0x0000F400,0x0000FA00, 0x0000 6500, 0x00007A00,0x0000AE00, 0x00000800, 
OxOOOOBAOO, 0x00007800, 0x00002500, 0x00002F00,0x00001O00,0x0000A600,0x0000B400, 0x00000600, 
0x0000F800, OxOOOODDOO, 0x00007400, 0x0000 IFOO, 0x00004B00, OxOOOOBDOO, 0x00008B00, 0x00008A00, 
0x00007000, 0x00003F00,0x0000B500, 0x0000 6600, 0x00004800, 0x00000300, 0x0000F600, OxOOOOOFOO, 
0x0000 6100, 0x00003500, 0x00005700, 0x0000B900, 0x00008 600,0x00000100, 0x0000 IDOO, 0x0000 9F00, 
0x0000F100,0x0000F800, 0x0000 9800, 0x0000 1100, 0x0000 6900, 0x0000D900,0x00008F00, 0x0000 9400, 
0x0000 9B00, 0x0000 IFOO, 0x00008700, 0x0000F900, OxOOOOOFOO, 0x00005500, 0x00002800, OxOOOODFOO, 
0x00008000, OxOOOOAlOO, 0x00008 900, OxOOOOODOO, 0x0000BF00,0x0000F600, 0x00004200, 0x0000 6800, 
0x00004100, 0x00009900, 0x0 000 2D00, OxOOOOOFOO, OxOOOOBOOO, 0x000054 00, OxOOOOBBOO, 0x00001600 
}, 
{ 

0x00 630000, 0x00700000, 0x00770000, Ox007BOOOO,OxOOF20000, 0x00 6B0000, 0x00 6F0000, 0x00050000, 
0x00300000, 0x000 10000, 0x00 670000, Ox002BOOOO,OxOOFFOOOO,OxOOD70000,OxOOABOOOO, 0x007 60000, 
OxOOOAOOOO, 0x00820000, 0x00090000, 0x007D0000,0x00FA0000, 0x00590000, 0x00470000, OxOOFOOOOO, 
OxOOADOOOO,OxOOD40000,OxOOA20000,OxOOAFOOOO, 0x00 900000, 0x00A40000, 0x00720000, OxOOOOODOO, 
0x00B70000,0x00FD0000, 0x00 930000, 0x002 60000, 0x00360000, 0x003F0000,0x00F70000,0x00OO0000, 
0x00340000, OxOOA50000,OxOOF50000,OxOOF10000, 0x007 10000, 0x00D80000, 0x00310000, 0x00 150000, 
0x00040000, 0x00070000, 0x00230000, 0x00030000, 0x00 180000, 0x00 960000, 0x00050000, 0x00 9A0000, 
0x00070000, 0x00120000, 0x00800000, OxOOF20000,OxOOFBOOOO, 0x00270000, OxOOB20000, 0x00750000, 
0x000 90000, 0x00830000, 0x00200000, 0x00 lAOOOO, 0x00 IBOOOO, 0x00 6F0000,0x005A0000,0x00A00000, 
0x00520000, 0x003B0000,0x00D60000,0x00B30000, 0x002 90000, 0x00F30000,0x002F0000, 0x00840000, 
0x00530000, OxOODlOOOO, 0000000000, OxOOFDOOOO, 0x00200000, OxOOFOOOOO, OxOOB10000,Ox005BOOOO, 
0x00 6A0000,0x00OB0000,0x00BF0000, 0x00390000, 0x004A0000, 0x00400000, 0x00580000, OxOOOFOOOO, 
OxOODOOOOO,OxOOFFOOOO,OxOOAAOOOO,OxOOFBOOOO, 0x00430000, 0x004D0000, 0x00330000, 0x00850000, 
0x00450000, 0x00F90000, 0x00020000, 0x007F0000, 0x00500000, 0x00300000, 0x00 9F0000,0x00A80000, 
0x00510000, 0x00A30000, 0x00400000, 0x008F0000, 0x00 920000, 0x00 9D0000, 0x00380000, OxOOF50000, 
0x00BO0000,0x00B60000,0x00DA0000, 0x002 10000, 0x00 100000, 0x00FF0000,0x00F30000,0x00D20000, 
OxOOODOOOO, 0x00000000,0x00 130000, OxOOFOOOOO, Ox005FOOOO, 0x00 970000, 0x00440000, 0x00 170000, 
0x00040000, 0x00A70000,0x007F0000,0x003D0000, 0x00 640000, Ox005DOOOO, 0x00 190000, 0x00730000, 
0x00 600000, 0x008 10000, 0x004F0000,0x00DO0000, 0x00220000, Ox002AOOOO, 0x00 900000, 0x00880000, 
0x004 60000, 0x00FF0000,0x00B80000, 0x00 140000, OxOODFOOOO,Ox005FOOOO,OxOOOBOOOO,OxOODBOOOO, 
OxOOFOOOOO, 0x00320000, 0x003A0000, OxOOOAOOOO, 0x004 90000, 0x000 60000, 0x00240000, 0x00500000, 
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OxOOC20000, 
OxOOEVOOOO, 

Oxooecoooo, 

OxOOBAOOOO, 
OxOOESOOOO, 
0x00700000, 
0x00610000, 
OxOOElOOOO, 
0x009B0000, 
OxOOSCOOOO, 
0x00410000, 



OxOODSOOOO, 
OxOOCSOOOO, 
0x00560000, 
0x00780000, 
OxOODDOOOO, 
0x003E0000, 
0x00350000, 
OxOOESOOOO, 
OxOOlEOOOO, 
OxOOAlOOOO, 
0x00990000, 



OxOOACOOOO, 
0x00370000, 
0x00F40000, 
0x00250000, 
0x00740000, 
OxOOB50000, 
0x00570000, 
0x00980000, 
0x00870000, 
0x00890000, 
0x002D0000, 



0x00620000, 
0x006D0000, 
OxOOEAOOOO, 
Ox002EOOOO, 
OxOOlEOOOO, 
0x00660000, 
0x00B90000, 
0x00110000, 
0x00E90000, 
OxOOODOOOO, 
OxOOOFOOOO, 



0x00910000, 
0x008D0000, 
0x00650000, 
OxOOlCOOOO, 
0x004B0000, 
0x00480000, 
0x00860000, 
0x00690000, 
OxOOCEOOOO, 
OxOOBEOOOO, 
OxOOBOOOOO, 



0x00950000, 
OxOOD50000, 
0x007A0000, 
0x00A60000, 
OxOOBDOOOO, 
0x00030000, 
OxOOClOOOO, 
0x00D90000, 
0x00550000, 
0x00E60000, 
0x00540000, 



0x00E40000, 
0x004E0000, 
OxOOAEOOOO, 
0x00B40000, 
0x008B0000, 
0x00E60000, 
OxOOlDOOOO, 
0x008E0000, 
0x00280000, 
0x00420000, 
OxOOBBOOOO, 



0x00790000, 
0x00A90000, 
0x00080000, 
0x00C60000, 
0x008A0000, 
OxOOOEOOOO, 
0x009E0000, 
0x00940000, 
OxOODEOOOO, 
0x00680000, 
0x00160000 



{ 

0x630 

0x300 

OxCAO 

Ox ADO 

0xB70 

0x340 

0x040 

0x070 

0x090 

0x520 

0x530 

0x6A0 

OxDOO 

0x450 

0x510 

OxBCO 

OxCDO 

0xC40 

0x600 

0x460 

OxEOO 

OxC20 

0xE70 

0x6C0 

OxBAO 

0xE80 

0x700 

0x610 

OxElO 

0x9B0 

0x8C0 

0x410 



00000, 
00000, 
00000, 
00000, 
00000, 
00000, 
00000, 
00000, 
00000, 
00000, 
00000, 
00000, 
00000, 
00000, 
00000, 
00000, 
00000, 
00000, 
00000, 
00000, 
00000, 
00000, 
00000, 
00000, 
00000, 
00000, 
00000, 
00000, 
00000, 
00000, 
00000, 
00000, 



0x7C0 
0x010 
0x820 
0xD40 
OxEDO 
OxA50 
0xC70 
0x120 
0x830 
0x3B0 
OxDlO 
OxCBO 
OxEEO 
0xE90 
0xA30 
0xB60 
OxOCO 
0xA7 
0x810 
OxEEO 
0x320 
0xD30 
0xC80 
0x560 
0x780 
OxDDO 
0x3E0 
0x350 
0xE80 
OxlEO 
OxAlO 
0x990 



00000, 
00000, 
00000, 
00000, 
00000, 
00000, 
00000, 
00000, 
00000, 
00000, 
00000, 
00000, 
00000, 
00000, 
00000, 
00000, 
00000, 
00000, 
00000, 
00000, 
00000, 
00000, 
00000, 
00000, 
00000, 
00000, 
00000, 
00000, 
00000, 
00000, 
00000, 
00000, 



0x770 
0x670 
0xC90 
OxA20 
0x930 
OxE50 
0x230 
0x800 
Ox2CO 
0xD60 
00000 
OxBEO 
OxAAO 
0x020 
0x400 
OxDAO 
0x130 
0x7E0 
0x4E0 
0xB80 
0x3A0 
Ox AGO 
0x370 
0xE40 
0x250 
0x740 
OxB50 
0x570 
0x980 
0x870 
0x890 
0x2D0 



00000 
00000 
00000 
00000 
00000 
00000 
00000 
00000 
00000 
00000 
00000 
00000 
00000 
00000 
00000 
00000 
00000 
00000 
00000 
00000 
00000 
00000 
00000 
00000 
00000 
00000 
00000 
00000 
00000 
00000 
00000 
00000 



0x7B0 
Ox2BO 
0x7D0 
OxAEO 
0x260 
OxElO 
0xC30 
OxE20 
OxlAO 
0xB30 
OxEDO 
0x390 
OxEBO 
0x7E0 
0x8E0 
0x210 
OxECO 
0x3D0 
OxDCO 
0x140 
OxOAO 
0x620 
0x6D0 
OxEAO 
Ox2EO 
OxlEO 
0x660 
0xB90 
0x110 
0xE90 
OxODO 
OxOFO 



00000 
00000 
00000 
00000 
00000 
00000 
00000 
00000 
00000 
00000 
00000 
00000 
00000 
00000 
00000 
00000 
00000 
00000 
00000 
00000 
00000 
00000 
00000 
00000 
00000 
00000 
00000 
00000 
00000 
00000 
00000 
00000 



0xF20 
OxEEO 
OxEAO 
0x9C0 
0x360 
0x710 
0x180 
OxEBO 
OxlBO 
0x290 
0x200 
0x4A0 
0x430 
0x500 
0x920 
0x100 
Ox5EO 
0x640 
0x220 
OxDEO 
0x490 
0x910 
0x8D0 
0x650 
OxlCO 
0x4B0 
0x480 
0x860 
0x690 
OxCEO 
OxBEO 
OxBOO 



00000 
00000 
00000 
00000 
00000 
00000 
00000 
00000 
00000 
00000 
00000 
00000 
00000 
00000 
00000 
00000 
00000 
00000 
00000 
00000 
00000 
00000 
00000 
00000 
00000 
00000 
00000 
00000 
00000 
00000 
00000 
00000 



0x6B0 
0xD70 
0x590 
0xA4 
0x3E0 
0xD80 
0x960 
0x270 
0x6E0 
0xE30 
OxECO 
0x4C0 
0x4D0 
0x3C0 
0x9D0 
OxEEO 
0x970 
Ox5DO 
Ox2AO 
Ox5EO 
0x060 
0x950 
OxD50 
0x7A0 
0xA60 
OxBDO 
0x030 
OxClO 
0xD90 
0x550 
0xE60 
0x540 



00000 
00000 
00000 
00000 
00000 
00000 
00000 
00000 
00000 
00000 
00000 
00000 
00000 
00000 
00000 
00000 
00000 
00000 
00000 
00000 
00000 
00000 
00000 
00000 
00000 
00000 
00000 
00000 
00000 
00000 
00000 
00000 



0x6E0 
Ox ABO 
0x470 
0x720 
0xE70 
0x310 
0x050 
OxB20 
Ox5AO 
Ox2EO 
OxBlO 
0x580 
0x330 
0x9E0 
0x380 
0xE30 
0x440 
0x190 
0x900 
OxOBO 
0x240 
0xE40 
0x4E0 
OxAEO 
0xB40 
0x8B0 
0xE60 
OxlDO 
0x8E0 
0x280 
0x420 
OxBBO 



00000 
00000 
00000 
00000 
00000 
00000 
00000 
00000 
00000 
00000 
00000 
00000 
00000 
00000 
00000 
00000 
00000 
00000 
00000 
00000 
00000 
00000 
00000 
00000 
00000 
00000 
00000 
00000 
00000 
00000 
00000 
00000 



0xC50 
0x760 
OxEOO 
OxCOO 
OxCCO 
0x150 
0x9A0 
0x750 
OxAOO 
0x840 
Ox5BO 
OxCEO 
0x850 
0xA80 
OxE50 
OxD20 
0x170 
0x730 
0x880 
OxDBO 
Ox5CO 
0x790 
0xA90 
0x080 
0xC60 
0x8A0 
OxOEO 
0x9E0 
0x940 
OxDEO 
0x680 
0x160 



00000, 
00000, 
00000, 
00000, 
00000, 
00000, 
00000, 
00000, 
00000, 
00000, 
00000, 
00000, 
00000, 
00000, 
00000, 
00000, 
00000, 
00000, 
00000, 
00000, 
00000, 
00000, 
00000, 
00000, 
00000, 
00000, 
00000, 
00000, 
00000, 
00000, 
00000, 
00000 



}; 



The workspace 



static u32 Ekey [44] ; 



/* The expanded key */ 



/* The round Eunction. 

#define f_rnd(x, n) 

( ft_tab[0] [byteO (x[n] ) ] 
" ft_tab[l] [bytel (x[ (n + 1) 
" ft_tab[2] [byte2 (x[ (n + 2) 
" ft„tab[3] [byte3 (x[ (n + 3) 



4 table lookups and 4 Exors 



3]; 
3i; 
3]; 



#define f_round(bo, bi, k) 



bo[0] = 
bo[l] = 
bo [2] = 
bo [3] = 

k += 4 



f_rnd (bi, 
f_rnd (bi, 
f_rnd (bi, 
f_rnd (bi. 



0) 
1) 
2) 
3) 



k[0] 
k[l] 
k[2] 
k[3] 



/* The S Box lookup used in constructing the Key schedule */ 

#define ls_box(x) \ 

( fl_tab[0] [byteO (x) ] \ 

" fl_tab[l] [bytel (x) ] \ 

" fl_tab[2] [byte2 (x) ] \ 

" fUab[3] [byte3 (x) ] ) 



/* The last round function (no MixColumn) 

#define lf_rnd(x, n) \ 

( fl_tab[0] [byteO (x[n] ) ] \ 

" fl_tab[l] [bytel (x[ (n + 1) & 3])] \ 

" fl_tab[2] [byte2 (x[ (n + 2) & 3])] \ 
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fl_tab[3] [byteS (x[ (n + 3) & 3] ) ] ) 



* Ri jndaelKeySchedule 

* Initialise the key schedule from a supplied key 
*/ 

void Ri jndaelKeySchedule (u8 key [16]) 
{ 

u32 t; 

u32 *ek=Ekey, /* pointer to the expanded key */ 

*rc=rnd_con; /* pointer to the round constant */ 



Ekey [0] = u32_in(key ) 

Ekey[l] = u32_in(key + 4) 

Ekey [2] = u32_in(key + 8) 

Ekey[3] = u32_in(key + 12) 



while (ek < Ekey + 40) 
{ 

t = rot3 (ek[31 ) ; 

ek[41 = ek[0] " ls_box(t) 

ek[5] = ek[l] " ek[4] ; 

ek[6] = ek[21 " ek[5] ; 

ek[7] = ek[3] " ek[6] ; 

ek += 4; 



* Ri jndaelEncrypt 

* Encrypt an input block 
*/ 

void RijndaelEncrypt (u8 in[16], u8 out [16]) 
{ 



u32 



bO [4] , bl [4] , *kp = Ekey; 



bO[0] = u32_in(in ) -^ *kp++; 

bO[l] = u32_in(in + 4 ) -^ *kp+ + ; 

bO[2] = u32_in(in + 8 ) -^ *kp+ + ; 

b0[3] = u32_in(in + 12) ^ *kp++; 



f_ 


_round (bl. 


bO, 


kp 


f_ 


_round (bO, 


bl. 


kp 


f_ 


_round (bl. 


bO, 


kp 


f_ 


_round (bO, 


bl. 


kp 


f_ 


_round(bl. 


bO, 


kp 


f_ 


_round(bO, 


bl. 


kp 


f_ 


_round(bl. 


bO, 


kp 


f_ 


_round(bO, 


bl. 


kp 


f_ 


_round (bl. 


bO, 


kp 



u32_out(out, lf_rnd(bl, 0) '^ kp[0]), 

u32_out(out + 4, lf_rnd(bl, 1) " kp [ 1 ] ) , 

u32_out (out + 8, lf_rnd(bl, 2) " kp[2]), 

u32_out(out + 12, lf_rnd(bl, 3) " kp[3]), 
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Annex A (informative): 
Change history 



Change history 
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# 
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CR 
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SP-10 
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v1.1 


- 


SP-010673 


3.0.0 


Approved as Release 1 999 


SP-11 


3.0.0 




- 


4.0.0 


Updated to Release 4 


SP-16 


4.0.0 


- 


- 


5.0.0 


Updated to Release 5 


SP-20 


5.0.0 


001 


SP-030226 


5.1.0 


Addition of missing line to Rijndael S-box listing 
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5.0.0 


- 


- 
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